Skip to content

Hide Navigation Hide TOC

BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a)

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2