Alphv

Threat Actor Profile Updated 3 days ago
Download STIX
Preview STIX
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clarion, a global manufacturer of audio and video equipment for cars, and Morrison Community Hospital, from which they stole 5TB of data. They also targeted McLaren Health Care, pilfering data from approximately 2.5 million patients, and Motel One, a hotel chain. According to a January report by security firm Rapid7, updated in April, AlphV/BlackCat was among the five most active ransomware groups across all sectors in 2023. Despite the FBI's claim to have dismantled the AlphV/BlackCat ransomware operation, the group has denied these assertions. The US government has offered a reward of up to $10M for information on the gang leaders of AlphV/BlackCat, indicating the severity of the threat this group poses. Furthermore, there are indications that AlphV may be linked to the macOS Backdoor RustDoor, suggesting their operations might extend beyond Windows-based systems. The FBI, CISA, and HHS have issued warnings about targeted AlphV/BlackCat ransomware attacks against the healthcare sector, highlighting the group's ongoing activity and potential threat. In the broader context of ransomware activities, AlphV/BlackCat held second place in leak site posts in 2023, accounting for roughly 9.7% of total posts. However, amidst these activities, other ransomware groups like LockBit have begun poaching AlphV affiliates, potentially indicating shifts within the ransomware ecosystem. Despite the seizure of the AlphV ransomware site by the FBI, it appears that the group remains a substantial threat within the global cybersecurity landscape.
What's your take? (Question 1 of 5)
cd3479f5-65c2-42c0-9c64-0766ac9c1309 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Hive
12
Hive is a malicious software, or malware, known for its disruptive capabilities and widespread damage. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Blackmatter
8
BlackMatter, a threat actor known for its malicious activities in the cybersecurity landscape, emerged as a variant of the notorious "DarkSide" ransomware. In May 2021, after launching an attack on Colonial Pipeline, the group rebranded itself from DarkSide to BlackMatter. However, due to increased
DarkSide
7
DarkSide is a notorious threat actor that has been associated with significant cyber attacks, most notably the ransomware attack on the US Colonial Pipeline in 2021. This group was known for its adoption of the ransomware-as-a-service (RaaS) model and had reportedly netted over $90 million in Bitcoi
Blackcat Ransomware Group
7
The BlackCat ransomware group, also known as APLHV, is a Ransomware-as-a-Service group that has been active since November 2021. The group utilizes malware to exploit and damage computer systems, often encrypting data and demanding a ransom for its restoration. They have targeted the computer networ
Sphynx
5
Sphynx, a new variant of the BlackCat ransomware, was announced and launched by ALPHV Blackcat administrators in February 2023. This update, named ALPHV BlackCat Ransomware 2.0 Sphynx, was rewritten to provide additional features to affiliates, including improved defense evasion capabilities and add
Noberus
5
Noberus, also known as ALPHV or BlackCat, is a Russia-based threat actor group that primarily operates a ransomware-as-a-service (RaaS) model. It first appeared in November 2021 and has since been responsible for a significant portion of ransomware attacks worldwide. The group has been particularly
NoEscape
4
NoEscape is a malicious software that emerged as a rebrand of 'Avaddon,' known for its successful multi-extortion tactics. In October 2023, the French basketball team ASVEL fell victim to a data breach orchestrated by the NoEscape ransomware gang. This incident was part of a broader trend in the las
FIN8
4
FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
BlackCat
3
BlackCat, also known as Alphv, is a Russian-based ransomware-as-a-service group that has recently targeted organizations in the healthcare and academic sectors. Lehigh Valley Health Network (LVHN), which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania, repo
Black Cat
3
Black Cat, also known as AlphV, is a notable threat actor that has been involved in several high-profile cyberattacks. Known for their ruthless tactics, they have been a significant player in the cybersecurity landscape, particularly with their double-extortion Ransomware-as-a-Service (RaaS) operati
Blacksuit
3
BlackSuit is a dangerous malware that has been causing significant disruption in the U.S., particularly within the healthcare sector. It is believed to be a rebranding of the Royal ransomware gang, itself a descendant of the Russian Conti gang. Notably, BlackSuit appears to be perpetrating its extor
Lockbit Black
2
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022 as the third version of the LockBit group's ransomware. The developer has consistently worked to improve this malicious software, with the previous version, LockBit 2.0 (also known as LockBit Red), being released in mi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Extortion
RaaS
Windows
Esxi
Data Leak
Vulnerability
Linux
Encryption
Healthcare
Encrypt
Fbi
Cybercrime
Scam
Reddit
Sec
Meridianlink
MGM
Phishing
Exploit
Payload
Health
Backdoor
Bitcoin
Ncr
Esxiargs
Unitedhealth
Mandiant
Rust
Microsoft
Ransomware P...
Macos
Malwarebytes
Locker
University
Denial of Se...
Hospitals
Antivirus
Malvertising
Sophos
CISA
Australian
Lateral Move...
Twitter
Okta
Azure
LOTL
netscaler
Cybercrimes
T1557
Reconnaissance
Moveit
Zero Day
Crowdstrike
Vmware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lockbitis related to
18
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
ContiIs from
8
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
AkiraUnspecified
8
Akira is a compact C++ ransomware that has wreaked havoc across various sectors, impacting over 60 organizations globally. It is compatible with both Windows and Linux systems and is known for its minimalistic JQuery Terminal-based hidden service used for victim communication. The malware enters you
REvilis related to
7
REvil, also known as Sodinokibi, is a notorious malware that gained prominence due to its harmful impact on computer systems and data. It operates under the Ransomware as a Service (RaaS) model, which saw a significant rise in popularity throughout 2020. The malware typically infects systems via sus
BlackbastaUnspecified
7
BlackBasta is a notorious malware, specifically a ransomware, that has been actively exploiting and damaging computer systems since its first appearance in April 2022. The ransomware primarily used SharpDepositorCrypter as its loader throughout most of 2022, often in conjunction with other malicious
Black BastaUnspecified
5
Black Basta is a malicious software (malware) known for its disruptive activities in the cyber world. This Russian-speaking ransomware-as-a-service group has been operational since early 2022, with an estimated accumulation of at least $107 million in Bitcoin ransom payments. The malware primarily i
Ragnar LockerUnspecified
4
Ragnar Locker is a type of malware, specifically a ransomware, that infiltrates computer systems to exploit and damage them. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Ragnar Locker can steal personal information, d
TrigonaUnspecified
4
Trigona, a notable ransomware strain first identified in 2022, is a type of malicious software designed to infiltrate systems and hold data hostage for ransom. Its operations gained significant attention in 2023, as it emerged as a prominent threat in the cybersecurity landscape. Trigona had a uniqu
SardonicUnspecified
3
Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal person
Royal RansomwareUnspecified
3
Royal Ransomware, a harmful malware created by former members of the Conti group, was involved in multiple high-profile attacks against critical infrastructure. Its operations were characterized by multi-threaded encryption and it often left a ransom note after infecting systems. Notably, the Royal
Cactusis related to
3
Cactus is a notable strain of malware that has been active since March 2023, as reported by Kroll researchers. The Cactus ransomware operation stands out for its use of encryption to protect the ransomware binary, leveraging multiple legitimate tools such as Splashtop, AnyDesk, SuperOps RMM for remo
Conti, LockbitUnspecified
3
None
QakBotUnspecified
3
Qakbot, also known as QBot, is a versatile and malicious software that can perform various harmful actions such as brute-forcing, web injects, and loading other malware. It is used to steal credentials and gather sensitive information. The malware is built by different groups including IcedID, Emote
RyukUnspecified
3
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
EmotetUnspecified
3
Emotet is a notorious malware that has been active for over a decade, known for its ability to infiltrate and manipulate email accounts. It tricks individuals into downloading infected files or clicking on malicious links, thus spreading its influence. It was a major player in the malware delivery b
EgregorUnspecified
2
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
NokoyawaUnspecified
2
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
PhobosUnspecified
2
Phobos is a type of malware, specifically a ransomware that has been causing significant disruptions in the cyber world. The malicious software operates by infiltrating systems through suspicious downloads, emails, or websites without user awareness. Once inside, it can steal personal information, d
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
AvosLockerUnspecified
2
AvosLocker is a type of malware, specifically a ransomware variant that has been on the radar of cybersecurity experts for some time. Ransomware is a form of malicious software designed to encrypt files on a victim's computer, making them inaccessible until a ransom is paid to the attacker. AvosLock
Brute RatelUnspecified
2
Brute Ratel is a malicious software (malware) that has been utilized by cybercriminals to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Brute Ratel can steal personal in
GhostUnspecified
2
Ghost is a malicious software (malware) that infiltrates computer systems, often without the user's knowledge. It can cause significant damage by stealing personal information, disrupting operations, or holding data hostage for ransom. Ghost first came into prominence in 2020 when it was part of a l
BabukUnspecified
2
Babuk is a form of malware, specifically ransomware, that infiltrates systems often through suspicious downloads, emails, or websites. Once inside, it can cause severe disruptions, steal personal data, or even hold the system's data hostage for ransom. Various versions and variants of Babuk ransomwa
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Alphv GroupUnspecified
8
The ALPHV group, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. In 2023, the group faced significant disruptions, including a concerted attack from law enforcement agencies. Despite these challenges, the group remained active and was responsible for several high-pr
Zeonis related to
7
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Scattered Spideris related to
7
Scattered Spider is a notorious threat actor group known for its sophisticated cyberattacks, targeting organizations with the intent of data extortion and maintaining persistence on their networks. The group utilizes various tactics, including phishing to obtain login credentials and thereby gaining
Vice SocietyUnspecified
6
Vice Society, a threat actor known for its malicious cyber activities, has been identified as a significant player in the deployment of ransomware attacks. Notably active from 2022 through May 2023, Vice Society executed multi-extortion strategies, targeting various sectors including education and h
Alphv Ransomware GroupUnspecified
6
The ALPHV ransomware group, also known as BlackCat, is a threat actor that has been responsible for a series of high-profile cyberattacks on various sectors. The group, which is believed to be connected to Russian organized crime, first gained notoriety when it claimed responsibility for the MGM Res
RansomhubUnspecified
5
Ransomhub, a self-proclaimed Ransomware-as-a-Service operation, first surfaced on the Russian-language dark web forum RAMP in February 2024. The group was classified as an emerging threat actor by GRIT, alongside other groups such as the established Medusa and the developing Cloak. Since its disclos
Octo TempestUnspecified
4
Octo Tempest, a financially motivated collective of native English-speaking threat actors, has emerged as a significant cybersecurity concern. Known for wide-ranging campaigns featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities, Octo Tempest has evo
MedusaUnspecified
4
Medusa, a threat actor known for its ransomware activities, has been on the rise since late 2023, leveraging a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966) alongside other groups like LockBit and ALPHV (BlackCat). This vulnerability led to numerous compromises by these groups
UNC3944Unspecified
4
UNC3944, also known by various names such as Scattered Spider, 0ktapus, and STORM-0875, is a financially motivated threat actor that has been active since 2021. This group is known for its sophisticated social engineering tactics, including phishing, SIM swapping, and multi-factor authentication bom
FIN7Unspecified
4
FIN7, a well-known threat actor group, has been actively targeting large-scale industries with sophisticated cyber attacks. Notably, they have been involved in a series of phishing attacks against a major U.S. carmaker. These targeted operations reflect FIN7's persistent and evolving strategies to c
BianlianUnspecified
3
BianLian is a threat actor group known for its malicious activities in the cybersecurity landscape. Recently, they have been identified as exploiting bugs in JetBrains TeamCity in ransomware attacks. This highlights their ability to leverage vulnerabilities in widely used software to carry out sophi
Hive RansomwareUnspecified
3
Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January
8baseUnspecified
2
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
DarkbitUnspecified
2
DarkBit is a notable threat actor in the cybersecurity landscape, believed to be sponsored by the Iranian government. The group first gained significant attention following a ransomware and extortion attack on Technion, a leading research university in Israel, in February 2023. During this attack, a
SodinokibiUnspecified
2
Sodinokibi, also known as REvil, is a prominent threat actor that has been associated with numerous high-profile ransomware attacks. First identified on April 17, 2019, this group operates as a Ransomware-as-a-Service (RaaS), providing malicious software for others to deploy. The group gained signif
ShadowsyndicateUnspecified
2
ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWO
Muddled LibraUnspecified
2
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
RhysidaUnspecified
2
Rhysida is a prominent threat actor in the cybersecurity landscape, first emerging in May 2023 as a Ransomware-as-a-Service (RaaS) operation. Initially targeting Windows systems, Rhysida later expanded to Linux platforms. The ransomware uses AES and RSA algorithms for file encryption, with the ChaCh
LockBitSuppUnspecified
2
LockBitSupp, also known as Dmitry Yuryevich Khoroshev, is a notorious threat actor and the mastermind behind the prolific LockBit ransomware attacks. Operating under various aliases including "LockBit" and "putinkrab," Khoroshev has been actively involved in cybercrime for over 14 years, with his ac
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Citrix BleedTargets
4
Citrix Bleed, identified as CVE-2023-4966, is a severe software vulnerability in Citrix Netscaler Gateway and Netscaler ADC products, with a high CVSS score of 9.4 indicating its critical nature. This flaw allows for sensitive information disclosure, bypassing password requirements and multifactor a
CVE-2023-4966Unspecified
2
CVE-2023-4966, also known as Citrix Bleed, is a critical software vulnerability that affects Citrix NetScaler ADC and Gateway products. This flaw in the software design or implementation was discovered in 2023 and is classified as a sensitive information disclosure vulnerability with a CVSS score of
Source Document References
Information about the Alphv Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
6 months ago
The many lives of BlackCat ransomware | Microsoft Security Blog
Unit42
7 months ago
BlackCat Climbs the Summit With a New Tactic
CERT-EU
a year ago
GRIT Ransomware Report: April 2023
Trend Micro
a year ago
BlackCat Ransomware Deploys New Signed Kernel Driver
CISA
5 months ago
#StopRansomware: ALPHV Blackcat | CISA
CERT-EU
3 months ago
No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
Securityaffairs
3 months ago
FBI, CISA, HHS warn of targeted ALPHV/Blackcat ransomware attacks against the healthcare sector
DARKReading
3 months ago
BlackCat Goes Dark After Ripping Off Change Healthcare Ransom
CERT-EU
3 months ago
Ransomware group behind Change Healthcare attack goes dark
Canadian Centre for Cyber Security
10 months ago
ALPHV/BlackCat Ransomware Targeting of Canadian Industries - Canadian Centre for Cyber Security
CERT-EU
3 months ago
Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack
CERT-EU
5 months ago
AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. | #ransomware | #cybercrime | National Cyber Security Consulting
BankInfoSecurity
3 months ago
BlackCat Pounces on Health Sector After Federal Takedown
Securityaffairs
a year ago
NCR was the victim of BlackCat/ALPHV ransomware gang
CERT-EU
5 months ago
How hard has the BlackCat ransomware group been hit by the FBI? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Krebs on Security
5 months ago
BlackCat Ransomware Raises Ante After FBI Disruption
CERT-EU
3 months ago
ALPHV/BlackCat hits healthcare after retaliation threat, FBI says
CERT-EU
3 months ago
ALPHV/BlackCat hits healthcare after retaliation threat, FBI says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
3 months ago
New BlackCat ransomware analysis published as leak site goes dark | #ransomware | #cybercrime | National Cyber Security Consulting