Alphv

Threat Actor updated 7 days ago (2024-09-05T23:17:52.155Z)
Download STIX
Preview STIX
Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital operations but also put patient privacy and security at risk. The group's activities have caused serious concerns in the cybersecurity community, leading to increased efforts to track and mitigate their actions. The Alphv group has shown a connection to another infamous threat actor, BlackCat. Evidence of BlackCat's code was found in Alphv's payloads used in various attacks, suggesting a possible link between the two groups. However, it's more likely that a former BlackCat affiliate or developer brought the code with them to Alphv rather than a complete rebranding of BlackCat to Alphv. Furthermore, there are rumors that BlackCat's ransomware is being sold on the Dark Web, although this information has yet to be confirmed. In response to these threats, law enforcement agencies, notably the FBI, have taken action against Alphv. Their ransomware site has been seized by the FBI, disrupting their operations and marking a significant step in combating their activities. Despite these successes, the cybersecurity community remains vigilant as new threat actors emerge and existing ones evolve. The fight against ransomware continues to be a priority in ensuring the security and integrity of digital systems worldwide.
Description last updated: 2024-09-05T23:15:58.394Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Blackmatter
8
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
DarkSide
7
DarkSide is a threat actor known for its malicious activities, particularly in the realm of ransomware. This group was notably responsible for the major attack on the U.S. energy sector that targeted Colonial Pipeline Co. on May 7, 2021, using a ransomware-as-a-service operation. The DarkSide ransom
Blackcat Ransomware Group
7
The BlackCat ransomware group, also known as Black Cat, is a notorious Ransomware-as-a-Service organization that has been active since November 2021. The group has targeted the computer networks of over 1,000 victims worldwide, launching malicious campaigns to exploit and damage systems. In one nota
NoEscape
6
NoEscape is a form of malware, specifically ransomware, known for infiltrating victim networks and collaborating with other ransomware affiliates like Ransomhouse and ALPHV (also known as BlackCat). These groups work together to gain access to victim networks, lock them down, and strategize on how t
Sphynx
5
Sphynx, a new variant of the BlackCat ransomware, was announced and launched by ALPHV Blackcat administrators in February 2023. This update, named ALPHV BlackCat Ransomware 2.0 Sphynx, was rewritten to provide additional features to affiliates, including improved defense evasion capabilities and add
Noberus
5
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
Trigona
5
Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
FIN8
4
FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
Black Cat
3
Black Cat, also known as AlphV, is a prominent threat actor known for its malicious activities in the cybersecurity landscape. The group gained significant attention when it launched an attack on Change Healthcare, a subsidiary of Optum and UnitedHealth Group (UHG), in late February. This ransomware
BlackCat
3
BlackCat, also known as Alphv, is a Russian-based ransomware-as-a-service group that has recently targeted organizations in the healthcare and academic sectors. Lehigh Valley Health Network (LVHN), which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania, repo
Blacksuit
3
BlackSuit is a highly potent and malicious ransomware that emerged as an evolution of the previously identified Royal ransomware, which was active from September 2022 through June 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued joint alerts indicating t
Lockbit Black
2
LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
RaaS
Extortion
Esxi
Windows
Encryption
Linux
Vulnerability
Data Leak
Encrypt
Fbi
Healthcare
Scam
Cybercrime
Exploit
Payload
Phishing
Sec
Meridianlink
Exploits
MGM
Reddit
Backdoor
Mandiant
Bitcoin
Health
Microsoft
Esxiargs
Source
Unitedhealth
Ncr
Rust
Vmware
LOTL
Ransomware P...
netscaler
Malwarebytes
Cybercrimes
Moveit
T1557
Reconnaissance
Tool
Botnet
University
Zero Day
Breachforums
Rapid7
Crowdstrike
CISA
Sophos
Malvertising
Antivirus
Australian
Hospitals
Lateral Move...
Denial of Se...
Twitter
Okta
Azure
Locker
Macos
Analyst Notes & Discussion
aaa
@Blue Unicorn, 20 days ago
aaa
@Blue Unicorn, 20 days ago
bbb
@Blue Unicorn, 20 days ago
aaa
@Blue Unicorn, 20 days ago
ccc
@Blue Unicorn, 20 days ago
ddd
@Blue Unicorn, 20 days ago
eee
@Blue Unicorn, 20 days ago
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
Lockbitis related to
18
LockBit is a prominent malware that has been causing havoc in the cyber world. It is a ransomware, a type of malicious software designed to exploit and damage systems, often infiltrating through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operat
AkiraUnspecified
8
Akira is a malicious software known for its persistent and damaging attacks on various systems. This ransomware has been active since at least 2023, as reported by Sophos, and it operates by infiltrating systems often through suspicious downloads, emails, or websites, encrypting data, and demanding
ContiIs from
8
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
REvilis related to
7
REvil is a type of malware, specifically ransomware, that has been linked to significant cyber attacks. It emerged as part of the Ransomware as a Service (RaaS) model that gained popularity in 2020. This model established relationships between first-stage malware and subsequent ransomware attacks, s
BlackbastaUnspecified
7
BlackBasta is a notorious malware entity known for its malicious software attacks, often in the form of ransomware. The group has been linked to various forms of malware, including IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. BlackBasta's operations have been significant
Black BastaUnspecified
5
Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
Ragnar LockerUnspecified
4
Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for rans
AvosLockerUnspecified
4
AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info
SardonicUnspecified
3
Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal person
Royal RansomwareUnspecified
3
The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious
QakBotUnspecified
3
Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
NokoyawaUnspecified
3
Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStri
RyukUnspecified
3
Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves
Conti, LockbitUnspecified
3
None
EmotetUnspecified
3
Emotet is a highly dangerous and insidious type of malware that has been active, particularly during recent summers. It is distributed primarily through documents attached to emails, using conversations found in compromised accounts. Once an unsuspecting user clicks either the enable button or an im
Cactusis related to
3
Cactus is a malicious software (malware) that infiltrates systems to exploit and damage them. This malware, often delivered through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or hold data hostage for ransom. Cactus has been used in several high-pro
BabukUnspecified
2
Babuk is a type of malware, specifically ransomware, that infiltrates systems to encrypt files and hold them for ransom. This malicious software can infect your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations by enc
Brute RatelUnspecified
2
Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can s
GhostUnspecified
2
"Ghost" is a potent malware that has been plaguing the digital world. In 2020, the first signs of its impending threat emerged with the planning of a large bilateral CDU/MDANG Ex Cyber Ghost operation. However, it wasn't until Check Point Research (CPR) identified a network of GitHub accounts, dubbe
PhobosUnspecified
2
Phobos is a type of malware, specifically ransomware, that infiltrates computer systems with the intent to disrupt operations, steal personal information, or hold data hostage for ransom. The malicious software can infect devices through suspicious downloads, emails, or websites, often without the u
EgregorUnspecified
2
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Alphv GroupUnspecified
9
The Alphv group, a recognized threat actor in the cybersecurity landscape, has been involved in numerous malicious activities. Notably, they claimed responsibility for the hacking of Clarion, a global manufacturer of audio and video equipment for cars. This particular incident highlighted their capa
RansomhubUnspecified
9
RansomHub, a threat actor group, has emerged as a significant cyber threat since its inception in February. The group employs a double-extortion strategy, which involves both encrypting IT systems and exfiltrating data to extort victims. RansomHub is known for its unique approach to ransom demands,
Zeonis related to
7
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Alphv Ransomware GroupUnspecified
7
The ALPHV ransomware group, also known as BlackCat, is a significant cybersecurity threat that has been involved in several high-profile attacks. This threat actor, believed to be linked to Russian organized crime, has claimed responsibility for various cyberattacks, including the MGM Resorts breach
Scattered Spideris related to
7
Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to vic
Vice SocietyUnspecified
6
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
MedusaUnspecified
5
Medusa, a malicious threat actor known for its ransomware attacks, has been increasingly active and dangerous. This group was responsible for a significant rise in data leaks and multi-extortion activities throughout 2023. Medusa, along with other ransomware groups like LockBit and ALPHV (BlackCat),
FIN7Unspecified
4
FIN7, also known as Carbanak, is a Russian cybercrime group that has been active since mid-2015. The group primarily targets the restaurant, gambling, and hospitality industries in the U.S. to extract financial information for use in attacks or sale on cybercrime marketplaces. Recently, FIN7 has exp
UNC3944Unspecified
4
UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor group that has been increasingly active in recent years. The group initially targeted telecommunication firms and tech companies but has now expanded its operations to include the hospitality, retail, media,
Octo TempestUnspecified
4
Octo Tempest, a known threat actor in the cybersecurity landscape, has recently added RansomHub and Qilin ransomware to its arsenal of cyber weapons. This expansion of their capabilities marks a significant escalation in their potential for harm and demonstrates a clear evolution towards more sophis
BianlianUnspecified
3
BianLian is a significant threat actor within the cybersecurity landscape, known for its malicious activities and cyber-attacks. The group has been particularly active in exploiting bugs in JetBrains TeamCity, a popular continuous integration and deployment system used by software development teams.
Hive RansomwareUnspecified
3
Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January
RhysidaUnspecified
2
Rhysida, a threat actor active since May 2023, is responsible for a series of ransomware attacks, with a significant focus on the healthcare sector. It accounts for 8% of total cyberattacks, with 38% of its attacks targeting healthcare institutions. The group's modus operandi includes transferring R
Fox KittenUnspecified
2
Fox Kitten, an Iranian-based cyber espionage group active since 2017, has been identified as a significant threat actor in the cybersecurity landscape. The group primarily gains initial access through VPN devices from Citrix, Fortinet, Palo Alto Networks, and Pulse Secure. Despite being backed by Ir
Cicada3301Unspecified
2
Cicada3301 is a threat actor known for its malicious activities, most notably the distribution of Cicada3301 ransomware. This ransomware is being propagated by Repellent Scorpius, a newly emerged threat group that operates as a Ransomware-as-a-Service (RaaS) entity. The group's connection to a histo
LockBitSuppUnspecified
2
LockBitSupp, also known as Dmitry Yuryevich Khoroshev, is a threat actor who has been identified as the creator and operator of one of the most prolific ransomware variants known as LockBit. Based in Voronezh, Russia, Khoroshev allegedly began developing LockBit as early as September 2019 and contin
DarkbitUnspecified
2
DarkBit is a notable threat actor in the cybersecurity landscape, believed to be sponsored by the Iranian government. The group first gained significant attention following a ransomware and extortion attack on Technion, a leading research university in Israel, in February 2023. During this attack, a
QilinUnspecified
2
The Qilin ransomware group, a malicious threat actor in the cybersecurity landscape, has been active since at least 2022 and gained significant attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group was later associated with Octo Tempest, which ad
SodinokibiUnspecified
2
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
8baseUnspecified
2
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
Muddled LibraUnspecified
2
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
ShadowsyndicateUnspecified
2
ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWO
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Citrix BleedTargets
4
Citrix Bleed, officially tracked as CVE-2023-4966, is a severe vulnerability in the design and implementation of Citrix Netscaler Gateway and Netscaler ADC products. This flaw, which has a CVSS score of 9.4, allows for sensitive information disclosure, providing deep system-level access that facilit
CVE-2023-4966Unspecified
2
CVE-2023-4966, also known as "Citrix Bleed," is a critical zero-day vulnerability affecting Citrix Netscaler Gateway and Netscaler ADC products. This sensitive information disclosure vulnerability enables threat actors to bypass multifactor authentication using stolen session tokens, making it parti
Unc3944 Scattered SpiderUnspecified
2
None
Source Document References
Information about the Alphv Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
a day ago
CosmicBeetle steps up: Probation period at RansomHub
DARKReading
a day ago
How Law Enforcement's Ransomware Strategies Are Evolving
Unit42
2 days ago
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Contagio
5 days ago
2024-08-30 Cicada ESXi Ransomware Sample
BankInfoSecurity
7 days ago
RansomHub Claims Theft of Montana Planned Parenthood Data
BankInfoSecurity
9 days ago
Halliburton Says Hackers Stole Data
DARKReading
9 days ago
BlackCat Spin-off 'Cicada3301' Uses Stolen Creds on the Fly, Skirts EDR
InfoSecurity-magazine
9 days ago
Active Ransomware Groups Surge by 56% in 2024
InfoSecurity-magazine
10 days ago
Cicada3301 Ransomware Group Emerges From the Ashes of ALPHV
Securityaffairs
10 days ago
A new variant of Cicada ransomware targets VMware ESXi systems
BankInfoSecurity
13 days ago
RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat
CISA
13 days ago
CISA and Partners Release Advisory on RansomHub Ransomware | CISA
DARKReading
14 days ago
Iran's 'Fox Kitten' Group Aids Ransomware Attacks on US Targets
DARKReading
14 days ago
Cyber Insurance: A Few Security Technologies, a Big Difference in Premiums
CISA
14 days ago
#StopRansomware: RansomHub Ransomware | CISA
BankInfoSecurity
14 days ago
Florida Department of Health Informs RansomHub Hack Victims
InfoSecurity-magazine
14 days ago
Iranian Hackers Secretly Aid Ransomware Attacks on US
CISA
15 days ago
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | CISA
BankInfoSecurity
16 days ago
McLaren Health: IT Operations Fully Back Online Post-Attack
BankInfoSecurity
22 days ago
Ransomware Again on Track to Achieve Record-Breaking Profits