Noberus

Threat Actor updated a month ago (2024-10-21T12:38:28.776Z)
Download STIX
Preview STIX
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating from Russia and first appearing in November 2021, Noberus utilizes a variant written in Rust, enabling it to infect both Windows and Linux-based systems. The group's modus operandi involves stealing sensitive data from institutions and threatening to publish it unless a ransom is paid. The threat posed by Noberus has been recognized by major cybersecurity firms and government agencies alike. Threat researchers from Symantec, a part of Broadcom, have observed the FIN8 cyber-crime group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware. Furthermore, the U.S. Department of Justice announced a disruption campaign against Noberus, citing its harmful impact on over 1,000 victims' computer networks, including those supporting U.S. critical infrastructure. However, recent developments suggest a shift in the ransomware landscape. The closure of Noberus earlier this year has led to some of its former affiliates joining other groups, contributing to their growth. Notably, a former Noberus affiliate known as Notchy is now reportedly working with RansomHub, a new ransomware group. Tools previously associated with another Noberus affiliate, Scattered Spider, were also used in a recent RansomHub attack, indicating the potential transfer of tactics, techniques, and procedures between these threat actors.
Description last updated: 2024-06-06T09:15:45.470Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Alphv is a possible alias for Noberus. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB
5
Syssphinx is a possible alias for Noberus. Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019,
3
FIN8 is a possible alias for Noberus. FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Backdoor
RaaS
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sardonic Malware is associated with Noberus. Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal personUnspecified
3
The Blackcat Ransomware Group Malware is associated with Noberus. The BlackCat ransomware group, also known as Black Cat, has been active since November 2021. As a Ransomware-as-a-Service entity, it has targeted the computer networks of over 1,000 victims worldwide, with the FBI Miami leading the investigation into their activities. The group is notorious for its Unspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Scattered Spider Threat Actor is associated with Noberus. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-premUnspecified
2
Source Document References
Information about the Noberus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
5 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago