New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Meet the team at Infosecurity Europe 2025
Book a Meeting

ALPHV - BlackCat Ransomware

February 7, 2022

Key takeaways: The group is actively recruiting ex-REvil, BlackMatter, and DarkSide operators Increased activity since November 2021 Lucrative affiliate pay-outs (up to 90%) Rust-based ransomware executable (fast, cross-platform, heavily customized per victim) AES encryption by default Built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099) Can propagate to remote hosts via PsExec Deletes shadow copies using VSS Admin Stops VMware ESXi virtual machines and deletes snapshot The group's leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater.