Skip to content

Hide Navigation Hide TOC

BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a)

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern BlackCat (e6c09b63-a424-4d9e-b7f7-b752cbbca02a) Ransomware 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2