We analyze the AlphV Ransomware and its impacts to organizations with personal data leakage

By Caique Barqueta:ALPHVRansomware, also known as BlackCat, Alphvm or Noberus; is a family of ransomware that uses the Ransomware-as-a-Service (RaaS) method in its operations.

This ransomware was first detected in November 2021 and hit several organizations in the first few months of operations, one of the things that caught attention was that it was written and developed in the Rust programming language. In addition, it has specific payload creation, possessing Windows and Linux variant support, including specific features for VMware ESXi hosts.

Some available reports have linked that the group in question was created by former members of other cybercriminal groups, such as BlackMatter, REvil and DarkSide.

Due to its great potential to cause damage to organizations, it was "voted" the most sophisticated ransomware in 2021, and in April 2022, the FBI released an alert that highlighted the TTPs and known indicators (IOCs) associated with ALPHV, which are incorporated into this report.

The sale of this ransomware took place through ads on clandestine forums of Russian origin.

Figure 1. ALPHV RaaS ransomware being spread on an underground forum.

The Twitter profile of researchers known as MalwareHunterTeam named the ransomware BlackCat because of the same favicon of a black cat using a bloody dagger on the Tor Network data leak site.

Figure 2. Favicons used on the payment site and data leakage.

As mentioned, because there is a Ransomware-as-a-Service (RaaS) operation, ALPHV operators recruit affiliates to perform corporate breaches and encrypt devices, and in return, the affiliates will earn variable revenue tranches based on the amount of ransom payment.


  • On redemptions up to $1.5 million, the affiliate receives 80% to 85%.
  • On redemptions up to $3 million, the affiliate receives 90%.

Being that, at first, shutting down the operations of other ransomware ended up helping ALPHV "prospect" for new affiliates, increasing its potential for harm to organizations.

Analysis and technical details of the ransomware

Analysis was performed by researchers aiming to explore the features of the 2021 variant of ALPHV, which included some advanced features that stand out from other ransomware operations.  

This payload is fully command line controlled, human operated, has the ability to be configurable according to the environment, use different encryption routines, propagate laterally to other assets, infect VMware ESXi virtual machines, and automatically wipe ESXi snapshots to prevent recovery.            

Below are the payload options when using the "-help" argument .

Figure 3. Options to be used by the malicious payload.

Each ALPHV executable included a JSON configuration that allowed customization of extensions, ransom notes, folders/files/extensions; how data will be encrypted and the services and processes to be automatically terminated.

The ransomware could be configured to use four different encryption modes, according to the forum posting.

Figure 4. Encryption routines according to the announcement.

Here is the translation:

"The software is written from scratch without using any templates or previously leaked source codes from other ransomware. The choice offered is:

4 encryption modes:

  • Full - Full file encryption (the slowest and most secure).
  • Fast - Encryption of the first N megabytes (not recommended for use, the most insecure solution possible, but the fastest).
  • DontPattern - N megabyte per M step encryption (if set up incorrectly, Fast can work worse in both speed and cryptographic strength).
  • Auto - Depending on the file type and size, the locker (in both Windows and NIX/ESXi) chooses the most optimal strategy in terms of speed/security for file processing.
  • SmartPattern - N encryption megabytes in percentage steps (by default it encrypts 10 megabytes every 10% of the file from the header on. The most optimal mode in the speed/cryptographic strength ratio).
    • 2 encryption algorithms:
      • ChaCha20
      • AES

In automatic mode, the software detects the presence of AES hardware support (exists on all modern processors) and uses it. If AES support is not present the software encrypts ChaCha20 files."

The operating system on which the malicious actor created the ransomware has support for the systems:

  • Windows 7 and higher (tested on 7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003 can be encrypted in SMB)
  • ESXi Servers (tested on 5.5, 6.5, 7.0.2u)
  • Debian (tested on 7, 8 and 9)
  • Ubuntu (tested on 18.04, 20.04)
  • ReadyNas, Synology

ALPHV can also be configured with domain credentials that can be used to propagate the ransomware and encrypt other devices on the network. The executable will then extract PSExec into the %Temp% folder and use it to copy the ransomware to other devices on the network and execute it to encrypt the remotely connected Windows machine.

When initiating the ransomware, the affiliate can use a console-based graphical interface base that allows them to monitor the progression of the attack.

Figure 5: Encrypting test files.

In the sample analyzed, the ransomware will shut down Windows processes and services that can prevent files from being encrypted. These shut down processes turn out to include Veeam( backupsoftware ), database servers, Microsoft Exchange, Office applications, email clients, and others.

Another action performed is cleaning the Recycle Bin, deletingshadow copy volumes, checking other devices on the network, and connecting to a Microsoft cluster.

Finally, after the encryption routine, the ransomware will change a randomly named extension that is attached to all files and included in the ransom note. The ransom note is named in the format "RECOBER-[extension]-FILES.txt".

Figure 6: Example of ransom note created by Bleeping Computer.

In order to go live, the ransomware needs to be executed with parameters related to the access token, and if executed without such a token, the executable does not start.

Figure 07. Attempted ransomware execution.

The token is customized for each type of victim, that is, for each execution it will be necessary to get the initialization token from the ransomware parameters to link the executable with the script, in this case a 32 character token is used to initialize it.

In other cyber attacks, it was observed that the attackers used various remote access software to obtain backup method to remotely connect to the targets' networks, using tools such as AnyDesk and TeamViewer, even installing a remote access tool called ngrok.

Figure 08. Example PowerShell script used by the actors to download the AnyDesk tool and include a password value to the client.

Another fact mentioned is that there are variants for other operating systems, such as for Linux systems, and this variant was identified in December 2021.

Figure 09. The -help menu of the Linux variant of ALPHV.
Figure 10. Contents of the ransomware configuration JSON file.

Attack chain and TTPs

In addition to the above, ALPHV adopts some actions standard to other types of human-operated ransomware attacks, such as initial compromise, data exploitation and exfiltration, attack preparation, and execution.

Figure 11. Attack chain used by the ALPHV (BlackCat) Ransomware.

During the attack chain, the use of tools such as 7zip, LaZagne, MEGAsync, Mimikatz, PsExec, WebBrowserPassView, ConnectWise Control, Cobalt Strike, NetScan, Bloodhound, CrackMapExec, Inveigh, and Rclone were observed, and such tools are some of those also used by other types of ransomware operators.

In addition, some of the following TTPs used by ALPHV operators were observed and if a combination of such techniques is identified, a possible ransomware attack linked to ALPHV could be identified.

Initial Access (TA0001)Valid Accounts (T1078)
Collection (TA0009)Data from Local System (T1005) Archive Collected Data (T1560)
Persistence (TA0003)Create or Modify System Process:Windows Service (T1543.003)
Defense Evasion (TA0005)Modify Registry (T1112) Impair Defenses: Disable or Modify Tools (T1562-001) Obfuscated Files or Information (T1027) Obfuscated Files or Information: Software Packing (T1027.002) Deobfuscate/Decode Files or Information (T1140) Indirect Command Execution (T1202) Use Alternate Authentication Material: Pass the Hash (T1550.002) System Binary Proxy Execution: CMSTP (T1218.003)
Credential Access (TA0006)Dump lsass (T1003.004) Unsecured Credentials (T1552) Adversary-in-the-Middle:LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
Exfiltration (TA0010)Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
Execution (TA0002)Windows Management Instrumentation (T1047) Scheduled Task/Job:Cron (T1053.003) Command and Scripting Interpreter (T1059) Shared Modules (T1129) System Services: Service Execution (T1569.002)
Discovery (TA0007)System Network Connections Discovery (T1049) System Service Discovery (T1007) Process Discovery (T1057) System Information Discovery (1082) File and Directory Discovery (T1083)
Lateral Moviment (TA0008)SMB/Windows Admin Shares (T1021.002) RDP (T1021.001) Lateral Tool Transfer (T1570)
Command and Control (TA0011)Proxy: Multi-hop Proxy (T1090.003) Ingress Tool Transfer (T1105)
Impact (TA0040)Data Destruction (T1485) Data Encrypted for Impact (T1486) Service Stop (T1489) Inhibit System Recovery (T1490) Network Denial of Service (T1498) Endpoint Denial of Service (T1499) Account Access Removal (T1531)

CVEs used

In the identified cyber attacks, four known and already published vulnerabilities were verified to have been exploited by ALPHV threat actors, being:

  • CVE-2021-31207: Microsoft Exchange Server vulnerability.
  • CVE-2021-34473: Microsoft Exchange Server remote code execution vulnerability.
  • CVE-2021-34523: Microsoft Exchange Server elevation of privilege vulnerability.
  • CVE-2016-0099: Vulnerability in the secondary logon service of Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1 and Windows 10 Gold and 1511 which could allow local users to obtain privileges through a crafted application.

Data Leakage

ALPHV, uses a data leak site to publish its victims, which can be accessed via the Tor Network.

Figure 12. ALPHV data leak site.

In the first week of March 2023, a cyber attack was identified on a company in the medical and hospital services segment, in which ALPHV performed data exfiltration, and among the personal data were disclosed photographs of people undergoing health treatment in various types of diagnoses.

This clearly shows that ransomware operators are increasingly using extortionist arguments and methods to force organizations to pay ransoms or even not to disclose personal data.


At the time of the identification of the aforementioned BlackCat ransomware, or ALPHV, due to the shutdown of the REvil and BlackMatter operations an opportunity arose for BlackCat to take over the niche of ransomware attacks in conjunction with the LockBit operators.

BlackCat has some relevant details, such as compiling in a different programming language than the most common ransomware operators, using the Rust language.

Another relevant fact is that ALPHV performs cyber attacks on several institutions, not opting for a specific segment, also performing the exfiltration of data and information relevant to the operators to be used to complement the extortion of payments.

Hunting the ALPHAV

In addition to the recommendations that will be covered below, there are some other options and actions that can serve to hunt for and identify Alphv/ BlackCat activity on your network or infrastructure.

  • Identification of suspicious SMB traffic.
  • Deletion of the "Shadow Copy" via "vssadmin".
  • Recovery mode edited or disabled using "bcedit.exe
  • Propagation via "psexec".
  • Use of anti-fraud tools such as file wiper
  • Machine UUID collected via WMIC commands.
    • The universally unique identifier (UUID) is later used, along with the token, to identify the victim on a Tor site hosted by the malicious actors.
  • Execution of ARP table commands to display current ARP entries.
  • Clearing all event logs via "wevutil.exe".


In addition to the indicators of compromise listed below by ISH, measures can be taken to mitigate the infection of this malware, such as:

  • Perform regular backups: Store backup copies of all important data in a secure, disconnected location;
  • Performing software updates: Keep all software assets up to date, including operating systems and applications.
  • Using network protection such as firewalls, antivirus, and other security measures to protect your network.
  • Carrying out awareness work with employees, teaching them to recognize and avoid threats such as phishing and/or clicking on malicious links.
  • Regular monitoring of your network and systems to identify and quickly respond to any suspicious activity.
  • Creating and implementing an incident response plan, which in case of ransomware attacks can be used and will contain information such as issues related to backups and system recovery.

Commitment Indicators

ISH Technology handles several Indicators of Commitment collected through open sources, closed sources and also through analysis performed by the Heimdall security team. In light of this, below we list all Indicators of Commitments (IOCs) related to the analysis of the artifact(s) in this report.

Malicious/analyzed artifact compromise indicators
File name:plLZT9yYjuyYODz2M6HuVviEqlgEgC.exe
Malicious/analyzed artifact compromise indicators
File name:blackcat.elf. rust
Malicious/analyzed artifact compromise indicators
File name:blackcat
Malicious/analyzed artifact compromise indicators
File name: 
Malicious/analyzed artifact compromise indicators
File name:yyy.exe
Malicious/analyzed artifact compromise indicators
File name:ananadae.exe
Malicious/analyzed artifact compromise indicators
File name:winlogon.exe
Malicious/analyzed artifact compromise indicators
File name:netlogon.exe

Distribution URLs and C2 IPs:

In addition to these Indicators of Compromise related to ALPHV, ISH Tecnologia, through the GTI (Global Threat Intelligence) under the care of the Heimdall Intelligence team, collects and treats every day indicators related to various threats, as well as treating daily, for example, malicious IP addresses, domains, hashes of files, among others, with the possibility of delivery of indicators arising from incidents and identification of threats.

Figure 13. Indicators of Commitment addressed by ISH via GTI.

In the example above, all the hashes handled by ISH are listed, and the example below deals with the ALPHV Ransomware related event in which several other IOCs of this threat actor have been collected, which can be delivered through GTI.

Figure 14. Commitment Indicators linked to AlphV's ITG
Figure 15. Commitment Indicators linked to AlphV's ITG



Leave a Comment

Your e-mail address will not be published. Required fields are marked with *