ALPHV Threat Actor Profile

ALPHV is the Russia-based Ransomware-as-a-Service (RaaS) group behind the ALPHV (also known as BlackCat) ransomware operation. ALPHV ransomware supports execution on Windows, Linux and VMware EXSi hosts and is the first ransomware written in the programming language Rust. This makes analysis of BlackCat ransomware difficult.

As a RaaS, ALPHV will advertise their ransomware on forums soliciting for affiliates. The solicited groups will utilise the ransomware with the agreement that a portion of the extorted ransom goes to the malware authors.

Threat actors that deploy ALPHV ransomware are known in the security research space as the ALPHV Ransomware Group. Since this gang is dynamic in nature, the tactics and techniques accompanying the deployment of ALPHV ransomware varies in sophistication and extortion techniques.

Alongside the typical threats of data deletion, attackers are known to siphon off data and threaten to release it to the public. Additionally, operators within the ALPHV cartel extort the victim a third time by threatening any third-party suppliers of the primary target. This is followed up by a fourth and final pressure whereby the threat of the implementation of a distributed denial-of-service (DDoS) attack is issued, a combined technique known as the “quadruple extortion method”.

The group frequently updates their RaaS platform to individualise attacks and avoid detection. The nature of the ransomware allows deployment across operating systems and architectures with a recent update in June 2022 allowing deployment across ARM architectures.

Threat Actor Aliases

Aliases of the ALPHV Ransomware Group include ALPHV-ng, AlphaV, AlphaVM, BlackCat, Noberus and UNC4466.

Targeting Profile

TARGETED INDUSTRY SECTORS

The ALPHV Ransomware Group is known as a single entity and indiscriminately targets organisations across the industry sector spectrum. Intelligence gathering has revealed that the following sectors are targeted most prominently by the ransomware cartel: finance, legal, technology, energy, healthcare and manufacturing.

TARGETED REGIONS

Figure 1 outlines the world regions whereby the ALPHV Ransomware Group has initiated attack campaigns.

 

Figure 1: Countries affected by the ALPHV Ransomware Group.

Threat Actor Motivations

The motivations of the ALPHV Ransomware Group have been assessed to be purely financial. However, the wider cartel’s objectives will change depending on the threat actor using the ransomware. A portion of the splinter groups within the cartel is known to extort organisations with data destruction, data theft and DDoS attacks.