New Case Study: Credit Union Boosts Secops With Continuous Testing
Learn More
New Research: Broken Attestation in Windows Admin Center
Learn More
Whitepaper: An Inside Look at the Technology Behind Cymulate
Learn More
New Integration Partnership with WIZ!
Learn More
Book a Demo
Book a Demo

ALPHV - BlackCat Ransomware

February 7, 2022

Key takeaways: The group is actively recruiting ex-REvil, BlackMatter, and DarkSide operators Increased activity since November 2021 Lucrative affiliate pay-outs (up to 90%) Rust-based ransomware executable (fast, cross-platform, heavily customized per victim) AES encryption by default Built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099) Can propagate to remote hosts via PsExec Deletes shadow copies using VSS Admin Stops VMware ESXi virtual machines and deletes snapshot The group's leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater.

Featured Resources

View More Resources
image
blog

Kerberos Authentication Relay Via CNAME Abuse 

Cymulate Research Labs uncovered a dangerous flaw in how Windows environments handle Kerberos service ticket requests one that significantly expands the practical attack surface

Read More
image
blog

CVE-2026-20965: Cymulate Research Labs Discovers Token Validation Flaw that Leads to Tenant-Wide RCE in Azure Windows Admin Center 

A subtle Azure SSO token validation flaw allowed attackers to escalate privileges and move laterally across WAC-managed systems.

Read More
image
blog

Evolving Vulnerability Management to Continuous Threat Exposure Management 

Shift from reactive vulnerability management to continuous, threat-validated exposure management for real risk resilience.

Read More