The ALPHV ransomware (also known as BlackCat) operator is a financially motivated threat actor group that has been active since at least 2016. The group employs the double-extortion technique, threatening to leak stolen data to persuade victims to pay the ransom and has targeted various industry sectors, including manufacturing, finance, healthcare, law, and media. The group has been successful in extorting large ransom payments, with a reported average payment of US$1.7 million. As such, the ALPHV ransomware group is currently one of the leading ransomware actors, and it is highly likely that their operations will continue.

The group has been observed using different versions of the Sardonic backdoor to deploy the ALPHV ransomware. The Sardonic backdoor is a powerful malware that can exfiltrate system data, execute commands, and load and execute additional malware payloads. The group has also been associated with other ransomware variants such as Ragnar Locker and White Rabbit. The malware is typically distributed through malvertising campaigns, using tricks to distribute rogue installers of legitimate applications, such as WinSCP.

It was detected in July 2023 that the threat actor, tracked as FIN8, was involved in an attack campaign that involved the deployment of ALPHV ransomware via an enhanced rendition of the Sardonic backdoor.