Skip to content

Hide Navigation Hide TOC

BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a)

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2