Skip to content

Hide Navigation Hide TOC

BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a)

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2