Noberus

Threat Actor updated 4 months ago (2024-06-06T09:17:34.664Z)
Download STIX
Preview STIX
Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating from Russia and first appearing in November 2021, Noberus utilizes a variant written in Rust, enabling it to infect both Windows and Linux-based systems. The group's modus operandi involves stealing sensitive data from institutions and threatening to publish it unless a ransom is paid. The threat posed by Noberus has been recognized by major cybersecurity firms and government agencies alike. Threat researchers from Symantec, a part of Broadcom, have observed the FIN8 cyber-crime group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware. Furthermore, the U.S. Department of Justice announced a disruption campaign against Noberus, citing its harmful impact on over 1,000 victims' computer networks, including those supporting U.S. critical infrastructure. However, recent developments suggest a shift in the ransomware landscape. The closure of Noberus earlier this year has led to some of its former affiliates joining other groups, contributing to their growth. Notably, a former Noberus affiliate known as Notchy is now reportedly working with RansomHub, a new ransomware group. Tools previously associated with another Noberus affiliate, Scattered Spider, were also used in a recent RansomHub attack, indicating the potential transfer of tactics, techniques, and procedures between these threat actors.
Description last updated: 2024-06-06T09:15:45.470Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Alphv is a possible alias for Noberus. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la
5
Syssphinx is a possible alias for Noberus. Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019,
3
FIN8 is a possible alias for Noberus. FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Backdoor
RaaS
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sardonic Malware is associated with Noberus. Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal personUnspecified
3
The Blackcat Ransomware Group Malware is associated with Noberus. The BlackCat ransomware group, also known as Black Cat, is a notorious Ransomware-as-a-Service organization that has been active since November 2021. The group has targeted the computer networks of over 1,000 victims worldwide, launching malicious campaigns to exploit and damage systems. In one notaUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Scattered Spider Threat Actor is associated with Noberus. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. ItUnspecified
2
Source Document References
Information about the Noberus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
Securityaffairs
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago