top of page
  • Writer's pictureFYEO

Ransomware Group Deep Dive: BlackCat

Ransomware groups (also called ransomware gangs) are one of the biggest threats to an organization’s cybersecurity posture. However, these groups are often nebulous and shrouded in secrecy, with new ransomware gangs constantly rising and falling in popularity. For this reason, security-conscious companies need to engage in regular Dark Web threat monitoring, scanning the threat landscape for new ransomware groups.

BlackCat is a ransomware group that was first detected in November 2021. Since then, the BlackCat gang has launched assaults on many high-profile targets, demanding ransoms stretching into the millions of dollars. So what is the BlackCat ransomware group, and how can businesses best protect themselves against this new figure in the lineup of ransomware gangs?

What Is the BlackCat Ransomware Group?

BlackCat (also known as ALPHV, AlphaV, AlphaVM, and Noberus) is known for its use of the "ransomware as a service" (RaaS) business model. In RaaS, developers license the ransomware they built to other cybercriminals. These criminals then use the ransomware in their own operations, paying the developers either a portion of the ransom or a flat subscription fee.

Like many other prominent ransomware groups, BlackCat is notorious for using “double extortion” tactics. Victims are faced not only with the loss of their data if they don’t pay the ransom but also with BlackCat leaking their sensitive information and files on the Dark Web. Typical BlackCat ransom demands are for between $400,000 and $3 million USD, but the group has been known to settle for less than this amount.

According to the FBI, multiple members of the BlackCat ransomware group have been linked to other ransomware gangs, such as DarkSide and BlackMatter. This fact likely explains how the BlackCat group could scale up in a matter of months: By March 2022, BlackCat had already successfully attacked more than 60 targets.

In 2021, the technology news website BleepingComputer called BlackCat "this year’s most sophisticated ransomware." One major reason is that the BlackCat ransomware is written in the Rust programming language, which makes it supposedly the first strain of ransomware with this distinction.

Rust is a cross-platform programming language that focuses on safety and performance. By writing ransomware in Rust, BlackCat’s developers can easily compile it for use on different systems while posing challenges to security analysts who are used to malware written in other languages. According to its creators, BlackCat ransomware can run on all Windows systems starting with Windows 7, as well as Debian and Ubuntu Linux.

Below are just a few of the BlackCat ransomware group’s most prominent attacks:

  • January 2022: The luxury fashion brand Moncler was hit with a data breach after falling victim to BlackCat ransomware, temporarily disrupting its IT services. Moncler refused to pay the ransom, resulting in the leak of some data on its employees, business partners, and customers.

  • September 2022: BlackCat attacked the Italian state-owned energy services firm GSE with ransomware. The hackers claimed to have stolen 700 gigabytes of data from GSE, including contracts and accounting documents, and threatened to post it publicly if the ransom was not paid.

  • December 2022: Empresas Públicas de Medellín, a Colombian energy provider, had a BlackCat ransomware assault, which negatively impacted business operations and shut down internet services. According to ransomware group, they had the employees personal data and complete network map including credentials and financial information.

How Does BlackCat Ransomware Work?

BlackCat ransomware is technically sophisticated and can spread to a network through several methods. These include stolen user credentials and exploiting vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) in the Microsoft Exchange Server application.

Once inside a system, BlackCat can bypass user account control (UAC), which means it can successfully run even without administrator privileges. BlackCat uses a variety of software tools to execute its attack, including:

  • The PsExec utility to perform lateral movement inside the network

  • The Fendr data exfiltration tool, previously used by the BlackMatter ransomware gang

  • Windows PowerShell scripts to launch the ransomware, copy itself to other locations, and disable antivirus programs such as McAfee

BlackCat attempts to shut down system defenses and applications such as word processors and databases that may keep files open and prevent them from being encrypted. After this process, BlackCat encrypts system files and data, renaming them to use an unorthodox file extension such as “.wpzlbji.” When encrypting files, BlackCat uses the Windows API BCryptGenRandom to generate an encryption key and the encryption algorithms AES or ChaCha20.

Another unique feature of BlackCat ransomware is that it provides the victim with a secret access token to conduct negotiations for the ransom. Without this token, third parties cannot observe or participate in the negotiations.

How to Protect Yourself from BlackCat Ransomware

As the BlackCat ransomware group grows in prominence, protecting yourself from BlackCat ransomware becomes increasingly important. Here are some concrete steps you can take:

  • Use strong passwords and multifactor authentication.

  • Educate users on how to recognize phishing emails and suspicious websites.

  • Review system logs for unusual activity, such as unrecognized processes or antivirus software turning off.

  • Check user permissions and disable unused network ports.

  • Install new updates for software, firmware, and operating systems as soon as possible to patch security vulnerabilities.

  • Back up essential data and files to an external location with an air gap with the rest of the network.


Here’s what you need to know about the BlackCat ransomware group:

  • First appearing in November 2021, BlackCat has since risen to become a major player in the field of ransomware gangs.

  • The BlackCat ransomware group’s use of double extortion methods and the RaaS business model make it a serious threat.

  • BlackCat is technically sophisticated ransomware that is notable for being written in the Rust programming language.

BlackCat and other ransomware groups place the security of businesses of all sizes and industries at risk. That’s why it’s so crucial for organizations to understand the hazards they face from these Dark Web threat actors and to protect their confidential information.

FYEO’s threat intelligence solution can help. We maintain one of the world’s largest databases of leaked credentials, with more than 25 billion active records. With FYEO, users receive an alert immediately when ransomware groups or other malicious actors have leaked their data on the Dark Web. Want to learn more? Get in touch with us today to request a demo of FYEO Domain Intelligence.


bottom of page