BlackCat (cyber gang)

BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments.

[4] As of February 2024, the U.S. Department of State was offering rewards of up to US$10 million for leads that could identify or locate ALPHV/BlackCat ransomware gang leaders.

Security experts believe the tactic is intended to demonstrate more credibility to their claims of breaching victims' systems and increase pressure on organizations to pay ransoms to prevent full public exposure of their data.

[8] By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter.

[9] Throughout 2022, BlackCat compromised and extorted numerous high-profile organizations globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors.

Reported victims include Moncler, Swissport, North Carolina A&T, Florida International University, the Austrian state of Carinthia, Regina Public Schools, the city of Alexandria, the University of Pisa, Bandai Namco, Creos, Accelya, GSE, NJVC, EPM, and JAKKS Pacific.

[8] At the beginning of the year 2023, Blackcat attacked Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network.

[14] On December 19, 2023 the group's website was replaced with an image: a message from the FBI claiming "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”[15] The FBI announced that same day they had "disrupted" the ALPHV/BlackCat group by seizing multiple websites as well as releasing a decryption tool.

[16] As of February 2024, U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/Blackcat ransomware gang leaders.

So-called "threat actors" associated with BlackCat were observed to use "malvertising", an "SEO poisoning" technique" that uses advertising to trick users searching for applications like WinSCP to download and spread its malware; as Ravie Lakshmanan noted, writing for The Hacker News, the approachtypically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages[18]that is, using hijacked webpages of legitimate organizations to redirect users to pages hosting malware.

[citation needed] Specifically, the gang uses Emotet botnet malware as an entry point, and Log4J Auto Expl to propagate the ransomware laterally within the network.

[jargon][13] Once executed, BlackCat performs network discovery to find more systems to infect, deletes volume shadow copies, encrypts files, and drops a ransom note demanding cryptocurrency.

Website seizure notice placed on an Alphv/Blackcat website.