Menu
Browse

Cyber Threat Actor: BlackCat

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
96 incidents
Profile

BlackCat, also known as ALPHV and Noberus, is a ransomware‑as‑a‑service operation that has been observed since 2021 and is believed to be based in Russia. The group operates under a RaaS model in which affiliates receive a percentage of the ransom payment, typically ranging from 80 % to 90 % of the total amount extracted from victims. Its malware is written in the Rust programming language, a choice that helps it evade some traditional security solutions, and the gang has publicly claimed responsibility for attacks by posting victim data on its dark‑web leak site and threatening to release the information unless a ransom is paid. BlackCat has been linked to earlier ransomware families such as DarkSide and BlackMatter, with researchers noting a continuity of tactics and infrastructure between these operations.

The actors have demonstrated a pattern of double extortion, encrypting systems while also exfiltrating data to leverage the threat of public disclosure. Initial access has been achieved through sophisticated phishing campaigns, exploitation of vulnerabilities such as Citrix Bleed, and the use of compromised credentials obtained via credential‑stealing tools. Once inside a network, the ransomware encrypts files and the group often publishes proof of the breach, including screenshots of internal documents, to increase pressure on the target. In several cases BlackCat has gone beyond traditional ransom demands by filing complaints with the U.S. Securities and Exchange Commission alleging that victims failed to disclose material cybersecurity incidents, thereby attempting to regulatory pressure as an additional extortion tactic. The group’s leak site has hosted data from a wide range of sectors, including financial services, healthcare, government agencies, educational institutions, energy providers, and manufacturing firms, indicating a broad targeting scope that is not limited to a single industry or region.

Representative publicly reported operations illustrate the group’s impact: a ransomware attack that disrupted the operations of a major financial services provider, leading to a full network shutdown and the involvement of law enforcement; an incident at a regional hospital that forced staff to revert to paper records and raised concerns about patient safety; a breach at a software company where the gang claimed theft of data without encryption and subsequently filed an SEC complaint; an attack on a pipeline operator that resulted in the alleged theft of 183 GB of documents and the leak of employee contact information; and a compromise of a university’s IT systems that prompted campus closures and the posting of employee records on the leak site. These examples show that BlackCat’s activities cause operational disruption, data exposure, and financial extortion across multiple critical sectors, reflecting the group’s established modus operandi of combining encryption with data‑leak threats to maximize pressure on victims.

Incidents
Attributed incidents available to members
95 incidents
Sources
Sources available to members
52 sources