ALPHV Threat Actor Profile

ALPHV is the Russia-based Ransomware-as-a-Service (RaaS) group behind the ALPHV (also known as BlackCat) ransomware operation. ALPHV ransomware supports execution on Windows, Linux and VMware EXSi hosts and is the first ransomware written in the programming language Rust. This makes analysis of BlackCat ransomware difficult.

As a RaaS, ALPHV will advertise their ransomware on forums soliciting for affiliates. The solicited groups will utilise the ransomware with the agreement that a portion of the extorted ransom goes to the malware authors.

Threat actors that deploy ALPHV ransomware are known in the security research space as the ALPHV Ransomware Group. Since this gang is dynamic in nature, the tactics and techniques accompanying the deployment of ALPHV ransomware varies in sophistication and extortion techniques.

Alongside the typical threats of data deletion, attackers are known to siphon off data and threaten to release it to the public. Additionally, operators within the ALPHV cartel extort the victim a third time by threatening any third-party suppliers of the primary target. This is followed up by a fourth and final pressure whereby the threat of the implementation of a distributed denial-of-service (DDoS) attack is issued, a combined technique known as the “quadruple extortion method”.

The group frequently updates their RaaS platform to individualise attacks and avoid detection. The nature of the ransomware allows deployment across operating systems and architectures with a recent update in June 2022 allowing deployment across ARM architectures.