# ALPHV BlackCat

Based on open-source intelligence, the MITRE ATT&CK® Evaluations team created the ALPHV BlackCat scenario leveraging techniques seen in affiliate operations in the wild. The scenario was designed based on tools, resources, and intelligence available at the time.

# Adversary Overview 🐈‍⬛

ALPHV BlackCat, also known as Noberus, was a prolific Russian-speaking, ransomware-as-a-service (RaaS) group that emerged in 2021 and was linked to BlackMatter, DarkSide, REvil, and other RaaS groups 1. ALPHV BlackCat utilized ransomware coded in Rust, allowing for enhanced performance, flexibility, and cross-platform capabilities. During it's tenure, ALPHV BlackCat consistently upgraded its tooling and tradecraft, with the last variant, Sphynx, rewritten with enhanced defense evasion capabilities, according to the group 2, 3. The group is alleged to have targeted over a thousand victims across the globe 4. In December 2023, The United States (U.S.) Department of Justice announced they had disrupted group operations and developed an decryption tool for victims 5. The group announced it was removing restrictions previously placed on affiliates, and the most recent targets included MGM Resorts and Change Healthcare in March 2024. Following the Change Healthcare incident, the Department of State issued a reward offer for information on the group due to its targeting of U.S. Critical Infrastructure.

# Quick Links

# Resources

The Resources Folder contains the emulated software source code.

All other pre-built executables have been removed. To rebuild the binaries, follow the documentation for the respective binary.

# Emulation Key Software 💻

• BlackCat ransomware
• ExMatter
• InfoStealer

# Scenario Walkthrough

• ALPHV BlackCat Scenario Overview - Overview of the ALPHV BlackCat scenario
• ALPHV BlackCat Emulation Plan - Step by step walkthrough of the ALPHV BlackCat red team emulation plan (6 steps)

# Acknowledgements

We would like to formally thank the people that contributed to the content, review, and format of this document. This includes the MITRE ATT&CK and MITRE ATT&CK Evaluations teams, the organizations and people that provided public intelligence and resources, as well as the following organizations that participated in the community cyber threat intelligence contribution process:

• Microsoft
• CrowdStrike

# Connect with us 🗨️

We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.

Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/

# Liability / Responsible Usage

This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.

# Notice

© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0005.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use