Noberus

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating from Russia and first appearing in November 2021, Noberus utilizes a variant written in Rust, enabling it to infect both Windows and Linux-based systems. The group's modus operandi involves stealing sensitive data from institutions and threatening to publish it unless a ransom is paid. The threat posed by Noberus has been recognized by major cybersecurity firms and government agencies alike. Threat researchers from Symantec, a part of Broadcom, have observed the FIN8 cyber-crime group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware. Furthermore, the U.S. Department of Justice announced a disruption campaign against Noberus, citing its harmful impact on over 1,000 victims' computer networks, including those supporting U.S. critical infrastructure. However, recent developments suggest a shift in the ransomware landscape. The closure of Noberus earlier this year has led to some of its former affiliates joining other groups, contributing to their growth. Notably, a former Noberus affiliate known as Notchy is now reportedly working with RansomHub, a new ransomware group. Tools previously associated with another Noberus affiliate, Scattered Spider, were also used in a recent RansomHub attack, indicating the potential transfer of tactics, techniques, and procedures between these threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Alphv
5
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Syssphinx
3
Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019,
FIN8
3
FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Backdoor
Payload
RaaS
Extortion
Ransom
Rust
Windows
Symantec
Fbi
MGM
Cybercrime
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Blackcat Ransomware GroupUnspecified
3
The BlackCat ransomware group, also known as APLHV, is a malware collective that has been active since November 2021. As a Ransomware-as-a-Service group, they specialize in exploiting computer systems and holding data hostage for ransom. The group has targeted computer networks of more than 1,000 vi
SardonicUnspecified
3
Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal person
Royal RansomwareUnspecified
1
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
AvosLockerUnspecified
1
AvosLocker is a type of malware, specifically a ransomware, that is designed to infiltrate computer systems and devices, often unbeknownst to the user. It can be spread through suspicious downloads, emails, or websites. Once it has infected a system, AvosLocker can cause significant disruption by st
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Scattered SpiderUnspecified
2
Scattered Spider is a significant threat actor in the cybersecurity landscape, known for its malicious activities that target various organizations. The group uses sophisticated methods to infiltrate networks, primarily through phishing attacks to obtain login credentials. Once inside, they search S
RansomhubUnspecified
1
RansomHub, a known threat actor in the cybersecurity industry, has been responsible for several high-profile data breaches, demonstrating its capacity to execute actions with malicious intent. Notably, Christie, an undisclosed entity, suffered a data breach due to a RansomHub attack, indicating the
Alphv GroupUnspecified
1
The ALPHV group, also known as BlackCat, is a threat actor that has been active in the cybersecurity landscape. In 2023, the group was significantly impacted by law enforcement actions. Notably, they claimed responsibility for a major hack against Clarion, a global manufacturer of audio and video eq
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Noberus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
RansomHub operation is a rebranded version of the Knight RaaS
CERT-EU
5 months ago
Blackcat claims responsibility for cyberattack at UnitedHealth | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
Ransomware group Blackcat is behind cyberattack on UnitedHealth division, company says – NBC New York | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
Exclusive-US pharmacy outage triggered by ransomware at unit of UnitedHealth, sources say | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
5 months ago
US healthcare alerted against BlackCat amid targeted attacks | #ransomware | #cybercrime | National Cyber Security Consulting
Securityaffairs
5 months ago
US gov offers a reward of up to $10M for info on ALPHV/Blackcat gang leaders
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
6 months ago
Hospitals sue cloud, Google settles Incognito suit | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
FBI VS. ALPHV/Blackcat: cybergang fights back - Panda Security
CERT-EU
7 months ago
DOJ Seizes Ransomware Websites – The Presidential Prayer Team | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
US Seizes BlackCat Ransomware Site, Offering Decryption Tool | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
Justice Department Hacks the Hackers  | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Title Insurance Giant First American Financial Is Hackers' Latest Target | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Cybersecurity threatscape for Latin America and the Caribbean: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
Feds disrupt major ransomware group targeting schools, law firms, hospitals | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
DOJ disrupts ALPHV/Blackcat ransomware group | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
How hard has the BlackCat ransomware group been hit by the FBI? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
US officials seize websites associated with Blackcat ransomware
CERT-EU
7 months ago
FBI Disrupts BlackCat Ransomware Threat Group Activity – The Essential Facts