Skip to content

Hide Navigation Hide TOC

BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a)

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 2