HC3 TLP Clear Analyst Note: BlackCat (AKA ALPHV) December 12, 2022

Executive Summary

BlackCat is a relatively new ransomware variant, known to be in operation since November 2021. It is exceptionally capable and is believed to be operated by individuals with significant experience as cyber criminals, who have extensive relationships with other significant players throughout the cybercriminal ecosystem. BlackCat is known to have targeted the healthcare and public health (HPH) sector and is expected to continue. The HPH should take this threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.


BlackCat (also known as Noberus or ALPHV) is a ransomware variant offered as part of one of the most sophisticated Ransomware-as-a-service (RaaS) operations in the global cybercriminal ecosystem. BlackCat has been used in operations since November 2021. They are believed to be a successor to the REvil, Darkside and BlackMatter operators and have connections to FIN7 AKA Carbon Spider as well as FIN12. BlackCat is noteworthy because its features make it technically sophisticated as compared to other RaaS variants, allowing for the ability to target a wide range of corporate environments. BlackCat was one of the first major ransomware variants to be developed in the rust programming language, has a highly-customizable feature set, and relies heavily on internally-developed capabilities, which are constantly developed and have upgrades. The many advanced technical features include being entirely command-line driven, human-operated and adaptable malware which has the ability to use several different encryption routines, self-propagate, and render hypervisors ineffective to frustrate analysis. This has made BlackCat one of the more adaptable ransomware operations in the world.

Like all ransomware-as-a-service (RaaS) operations, the BlackCat operators recruit affiliates to perform corporate breaches and encrypt devices, while retaining code maintenance and development responsibilities for themselves. As previously noted, their ransomware code is highly customizable, and the executable includes a JSON configuration that allows that customization. This includes extensions, ransom note details, encryption, services targeted for termination and whitelisted folders/files/extensions.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272