Alphv

Threat Actor updated 15 hours ago (2024-11-20T18:17:46.501Z)
Download STIX
Preview STIX
Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB of data from Morrison Community Hospital, causing serious disruptions and compromising patient data. The group's activities have escalated to the point where US officials issued an alert warning of Alphv's increased focus on the healthcare sector, seemingly in retaliation for FBI actions against their infrastructure. The operations of Alphv demonstrate a shift in tactics among ransomware-as-a-service operators. Following law enforcement disruptions, such as the August 2023 disruption of the Qakbot botnet, ransomware affiliates like Alphv/BlackCat and others have pivoted towards exploiting vulnerabilities as their primary method of delivering malware. Intelligence suggests that Alphv shares infrastructure and malware services with other groups like Lunar Spider and Wizard Spider, indicating a level of cooperation and shared resources among these threat actors. However, it appears that law enforcement actions have started to impact Alphv's operations. The FBI successfully seized the group's ransomware site, and there are indications that some victims, such as UnitedHealth Group, may have paid the ransom demands, leading to the removal of their data theft claims by Alphv. Despite these setbacks, Alphv continues to pose a serious threat, with Change Healthcare confirming they were targeted by the group. It is also worth noting that Alphv, under the alias BlackCat, was implicated in an exit scam, blaming the "feds" for their shutdown. This highlights the ongoing challenge posed by such threat actors, who can rebrand, regroup, and continue their malicious activities.
Description last updated: 2024-11-15T16:06:49.252Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Blackcat Ransomware Group is a possible alias for Alphv. The BlackCat ransomware group, also known as Black Cat, has been active since November 2021. As a Ransomware-as-a-Service entity, it has targeted the computer networks of over 1,000 victims worldwide, with the FBI Miami leading the investigation into their activities. The group is notorious for its
8
Blackmatter is a possible alias for Alphv. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. Howeve
8
DarkSide is a possible alias for Alphv. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across
7
NoEscape is a possible alias for Alphv. NoEscape is a malicious software, or malware, known for its ransomware capabilities. It infiltrates systems often undetected via suspicious downloads, emails, or websites, causing significant harm by stealing personal data, disrupting operations, and holding data hostage for ransom. In October 2023,
6
Noberus is a possible alias for Alphv. Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr
5
Trigona is a possible alias for Alphv. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
5
Sphynx is a possible alias for Alphv. Sphynx, a new variant of the BlackCat ransomware, was announced and launched by ALPHV Blackcat administrators in February 2023. This update, named ALPHV BlackCat Ransomware 2.0 Sphynx, was rewritten to provide additional features to affiliates, including improved defense evasion capabilities and add
5
FIN8 is a possible alias for Alphv. FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
4
Cicada3301 is a possible alias for Alphv. Cicada3301, named after an online cryptography game, is a new threat actor in the cybersecurity landscape. This entity is responsible for distributing a ransomware variant also known as Cicada3301. The group primarily targets VMware ESXi environments with the intention of shutting down virtual machi
4
Black Cat is a possible alias for Alphv. Black Cat, also known as AlphV, is a threat actor recognized for its malicious cyber activities. The group has been responsible for several high-profile attacks, including one on Change Healthcare, a subsidiary of Optum and UnitedHealth Group (UHG), in late February. Following the attack, Black Cat
3
BlackCat is a possible alias for Alphv. BlackCat, also known as Alphv, is a Russian-based ransomware-as-a-service group that has recently targeted organizations in the healthcare and academic sectors. Lehigh Valley Health Network (LVHN), which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania, repo
3
Blacksuit is a possible alias for Alphv. BlackSuit is a malicious software (malware) that has been causing significant harm in the digital world. It infiltrates systems through dubious downloads, emails, or websites, and once inside, it can steal personal data, disrupt operations, or hold data hostage for ransom. BlackSuit malware, which i
3
Lockbit Black is a possible alias for Alphv. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
RaaS
Extortion
Encryption
Esxi
Windows
Linux
Vulnerability
Data Leak
Encrypt
Scam
Fbi
Healthcare
Cybercrime
Phishing
Exploits
Reddit
Sec
MGM
Meridianlink
Payload
Exploit
Locker
Backdoor
Mandiant
Bitcoin
Health
Ransomware P...
Source
Unitedhealth
Esxiargs
Rust
Ncr
Microsoft
Cybercrimes
Malwarebytes
T1557
Reconnaissance
Tool
Moveit
Botnet
University
Zero Day
Breachforums
Rapid7
Crowdstrike
CISA
Sophos
Australian
Malvertising
Lateral Move...
Antivirus
Hospitals
Twitter
Okta
Azure
Denial of Se...
Macos
Vmware
LOTL
netscaler
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Alphv. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit is related to
19
The Conti Malware is associated with Alphv. Conti is a type of malware, specifically ransomware, that was designed to infiltrate computer systems, disrupt operations, and potentially hold data hostage for ransom. It has been linked to various ransomware groups such as Quantum, MountLocker, and the notorious Conti ransomware gang. The softwareIs from
8
The Akira Malware is associated with Alphv. Akira, first detected in 2023, is a persistent and damaging form of malware that has been involved in numerous high-profile cyber-attacks. The Akira ransomware gang has claimed responsibility for the theft of sensitive data from Nissan Australia, demonstrating the scale and severity of its operationUnspecified
8
The Blackbasta Malware is associated with Alphv. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
7
The REvil Malware is associated with Alphv. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. This related to
7
The Black Basta Malware is associated with Alphv. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
5
The AvosLocker Malware is associated with Alphv. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal infoUnspecified
4
The Ragnar Locker Malware is associated with Alphv. Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransUnspecified
4
The Emotet Malware is associated with Alphv. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
3
The Royal Ransomware Malware is associated with Alphv. The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious Unspecified
3
The Cactus Malware is associated with Alphv. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus is related to
3
The malware Conti, Lockbit is associated with Alphv. Unspecified
3
The Sardonic Malware is associated with Alphv. Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal personUnspecified
3
The Ryuk Malware is associated with Alphv. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
The QakBot Malware is associated with Alphv. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
3
The Nokoyawa Malware is associated with Alphv. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStriUnspecified
3
The Brute Ratel Malware is associated with Alphv. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
2
The Ghost Malware is associated with Alphv. "Ghost" refers to a type of malware that was distributed through a network of GitHub accounts, known as the Stargazers Ghost Network. This malicious software was identified by Check Point Research and was spread via phishing repositories. The malware was designed to exploit and damage computer systeUnspecified
2
The Ransomhouse Malware is associated with Alphv. RansomHouse is a malicious software (malware) that has been active since 2021 and describes itself as a “professional mediators community” targeting organizations with lax attitudes towards customer data privacy and security. The malware infects systems through suspicious downloads, emails, or websiUnspecified
2
The Cyclops Malware is associated with Alphv. Cyclops, also known as Knight and later rebranded as RansomHub, is a malware that emerged in the threat landscape in May 2023. This malicious software, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites and can steal personal informatioUnspecified
2
The Egregor Malware is associated with Alphv. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
2
The Maze Malware is associated with Alphv. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
2
The Phobos Malware is associated with Alphv. Phobos is a type of malware, specifically ransomware, that has been causing significant cybersecurity concerns. Ransomware is a malicious software that infects systems, often without the user's knowledge, via suspicious downloads, emails, or websites. Once inside, it can disrupt operations and hold Unspecified
2
The Babuk Malware is associated with Alphv. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ransomhub Threat Actor is associated with Alphv. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campaiUnspecified
10
The Alphv Group Threat Actor is associated with Alphv. The Alphv group, a recognized threat actor in the cybersecurity landscape, has been involved in numerous malicious activities. Notably, they claimed responsibility for the hacking of Clarion, a global manufacturer of audio and video equipment for cars. This particular incident highlighted their capaUnspecified
9
The Alphv Ransomware Group Threat Actor is associated with Alphv. The ALPHV ransomware group, also known as BlackCat, is a significant cybersecurity threat that has been involved in several high-profile attacks. This threat actor, believed to be linked to Russian organized crime, has claimed responsibility for various cyberattacks, including the MGM Resorts breachUnspecified
7
The Zeon Threat Actor is associated with Alphv. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as Bis related to
7
The Scattered Spider Threat Actor is associated with Alphv. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-premis related to
7
The Vice Society Threat Actor is associated with Alphv. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
6
The Rhysida Threat Actor is associated with Alphv. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
5
The Medusa Threat Actor is associated with Alphv. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerouUnspecified
5
The FIN7 Threat Actor is associated with Alphv. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
4
The UNC3944 Threat Actor is associated with Alphv. UNC3944, also known as Scattered Spider and Oktapus, is a financially motivated threat actor group that has been expanding its target sectors. Initially focusing on telecommunication firms and tech companies, the group has broadened its attacks to hospitality, retail, media, and financial services. Unspecified
4
The Octo Tempest Threat Actor is associated with Alphv. Octo Tempest, also known as Scattered Spider, is a prominent threat actor in the cybersecurity landscape. This group has rapidly gained notoriety in the ransomware domain by incorporating RansomHub and Qilin ransomware into its arsenal, significantly enhancing its ability to compromise systems and nUnspecified
4
The Qilin Threat Actor is associated with Alphv. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to Unspecified
3
The Bianlian Threat Actor is associated with Alphv. BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breacheUnspecified
3
The Hive Ransomware Threat Actor is associated with Alphv. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, eUnspecified
3
The Shadowsyndicate Threat Actor is associated with Alphv. ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWOUnspecified
2
The Fox Kitten Threat Actor is associated with Alphv. Fox Kitten, an Iran-based cyber espionage group active since at least 2017, has been a significant threat actor in the cybersecurity landscape. This group primarily targets VPN devices from Citrix, Fortinet, Palo Alto Networks, and Pulse Secure for initial access into networks. The FBI identified FoUnspecified
2
The LockBitSupp Threat Actor is associated with Alphv. LockBitSupp, a prominent threat actor, has been identified as Russian national Dmitry Yuryevich Khoroshev. The group's activities have been under scrutiny due to its involvement in ransomware attacks and other cybercrimes. Khoroshev, who was operating under the aliases "LockBit" and "LockBitSupp," iUnspecified
2
The Darkbit Threat Actor is associated with Alphv. DarkBit is a notable threat actor in the cybersecurity landscape, believed to be sponsored by the Iranian government. The group first gained significant attention following a ransomware and extortion attack on Technion, a leading research university in Israel, in February 2023. During this attack, aUnspecified
2
The Sodinokibi Threat Actor is associated with Alphv. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted Unspecified
2
The 8base Threat Actor is associated with Alphv. 8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base oUnspecified
2
The Muddled Libra Threat Actor is associated with Alphv. Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align closeUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Citrix Bleed Vulnerability is associated with Alphv. Citrix Bleed (CVE-2023-4966) is a severe software vulnerability, with a CVSS score of 9.4, identified in Citrix Netscaler Gateway and Netscaler ADC products. This flaw allows unauthorized disclosure of sensitive information, enabling attackers to gain remote access to organizations that rely on CitrTargets
4
The CVE-2023-4966 Vulnerability is associated with Alphv. CVE-2023-4966, also known as Citrix Bleed, is a significant software vulnerability discovered in the Citrix NetScaler ADC and Gateway products. The flaw, characterized as a sensitive information disclosure vulnerability, poses a serious threat due to its high CVSS score of 9.4. This vulnerability waUnspecified
2
The vulnerability Unc3944 Scattered Spider is associated with Alphv. Unspecified
2
Source Document References
Information about the Alphv Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
CERT-EU
8 months ago
Contagio
6 days ago
Unit42
14 days ago
BankInfoSecurity
17 days ago
BankInfoSecurity
19 days ago
Krebs on Security
22 days ago
Checkpoint
23 days ago
ESET
23 days ago
DARKReading
23 days ago
BankInfoSecurity
a month ago
BankInfoSecurity
a month ago
InfoSecurity-magazine
a month ago
InfoSecurity-magazine
a month ago
Bitdefender
a month ago
BankInfoSecurity
2 months ago
DARKReading
2 months ago
BankInfoSecurity
2 months ago
BankInfoSecurity
2 months ago
BankInfoSecurity
2 months ago