Home / Threat Intelligence bulletins / BlackCat ransomware targets Azure Storage

Target Industry

Indiscriminate, opportunistic targeting.


The Russian ransomware group tracked as BlackCat (aka ALPHV), has recently been observed using their new ‘Sphynx Encryptor’ against Azure Storage accounts. Labelled as BlackCat 3.0 by Microsoft, the Sphynx Encryptor is BlackCat’s latest innovative ransomware encryption tool. Built from scratch, it aids lateral movement and is designed to evade advanced detection. BlackCat threat actors have used One Time Passwords (OTPs) stolen from the victim’s LastPass Chrome extension to obtain access to Azure Storage locations.


Successful exploitation by BlackCat ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can assist threat actors with future attacks.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as those implemented by BlackCat ransomware. EDR solutions can alert system users of potential breaches and stop further progress before the ransomware can inflict significant damage.

Affected Products

Azure Storage, LastPass.

Containment, Mitigations & Remediations

Thorough phishing protection and education will greatly reduce the likelihood of a successful social engineering attack involving the installation of malware. As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

Further, all devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats. Network segmentation will reduce threat actors’ capability for lateral movement, reducing the potential for data loss upon initial access in a ransomware attack.

Indicators of Compromise

Please refer to the Quorum Cyber Threat Intelligence BlackCat (ALPHV) Ransomware Report for details regarding associated indicators of compromise.

Threat Landscape

Ransomware continues to be one of the prominent threats facing the private sector. Recent attacks and the developing nature of the ransomware threat landscape suggests that the threat is growing as criminal groups are becoming more comfortable demanding ever-increasing ransom fees.

Threat Group

The Russian ransomware group ALPHV, aka BlackCat, were first observed in November 2021 after deployment of their successful Rust-written payload. BlackCat is suspected to be a rebranding/evolution of the ransomware group BlackMatter, which is a successor of two notable ransomware groups, REvil and DarkSide. These groups are known to offer a payout for anyone who helps spread their ransomware.

Following a series of arrests against REvil members in January 2022, BlackCat has been observed recruiting former members of REvil, DarkSide and BlackMatter in what appears to be the next major iteration of Russian Ransomware-as-a-Service (RaaS).

The Sphynx encryptor is the most recent example of BlackCat’s ability to develop and creatively deploy advanced technology capable of bypassing modern-day detection and protection.

Mitre Methodologies


TA0005 – Defense Evasion

TA0008 – Lateral Movement

Further Information

Varonis Blog

Microsoft Security Blog

Akamai Blog

FBI Flash

Logpoint Report


An Intelligence Terminology Yardstick to showing the likelihood of events