Alphv Ransomware

First Identified: 2021

Operation style:
Ransomware-as-a-Service (RaaS), affiliates earn 80% of payments up to $1.5 million, 85% of payments up to $3 million, and 90% of payments over $3 million.

Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most frequently targeted industry:

• Professional & Commercial Services (Legal Services)
• Industrials (Manufacturing)

Most frequently targeted victim HQ region: United States, North America

Known Associations:

• FIN8
• FIN12
• DEV-0237
• DEV-0504
• Scattered Spider
• ShadowSyndicate
• UNC4466
• BlackMatter Ransomware
• Cicada3301

Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS (Ransomware as a Service), where affiliates gain access to victim environments, deploy the Alphv encryptor and then split the ransom payment with the developers. Affiliates can earn 80% of payments up to $1.5 million, 85% of payments up to $3 million, and 90% of payments over $3 million. Due to the use of an affiliate program, Alphv operators gain initial access in a variety of methods, including social engineering, exploiting vulnerabilities, initial access brokers (IABs), and more.

Alphv’s operators were one of the first to successfully use the Rust programming language to compromise victims. Alphv’s use of Rust enables the operators to increase their defense evasion capabilities and avoid code similarities with other ransomware variants. Due to the flexibility of Rust, it Likely allows Alphv’s operators to tailor attacks to each specific victim. Alphv is able to target Windows, ESXi, Debian, Ubuntu, and ReadyNAS/Synology environments.

Alphv is consistently updating and refining their operations to ensure they remain as effective and successful as possible. One update included an ARM build to encrypt non-standard architectures and a feature that adds new encryption functionality to its Windows build by rebooting into Safe Mode and Safe Mode with networking. A new restart logic was added, along with a simplification of the Linux encryption process.

In August 2022, the group was observed deploying a custom Exmatter data exfiltration tool, which had been previously used with the BlackMatter ransomware. A new variant of Alphv, dubbed Sphynx, was observed that contained new command line arguments and methods for evading detection.

In December 2023, the FBI announced the seizure of the Alphv ransomware data leak site and were able to provide decryption keys for 500 victims of the ransomware group, saving nearly $68 million in ransom demands. Additionally, the FBI seized the domain for Alphv’s data leak site, which displayed a banner stating it was seized. However, within the same day, the group “unseized” the site and posted a new site link. Additionally, the site hosted a message that due to the takedown, the group was removing all rules for their affiliates as far as vertical targeting. The only rule that affiliates reportedly have to follow is to avoid targeting organizations in CIS countries.