ALPHV/BlackCat

DOJ announced that Ryan Goldberg and Kevin Martin pleaded guilty in the Southern District of Florida to conspiring to commit Hobbs Act extortion via ALPHV BlackCat attacks on U.S. victims between April and December 2023. The defendants, both employed in the cybersecurity industry, agreed to pay BlackCat operators a 20% share of ransoms and successfully extorted one victim of approximately $1.2 million in Bitcoin.

The ALPHV BlackCat operators took their Tor leak site offline on 1 March 2024 and on 5 March announced the operation's closure, posting a fabricated FBI seizure banner that the UK NCA publicly denied. The operators offered the ransomware source code for $5 million and stiffed the affiliate behind the Change Healthcare intrusion, who retained roughly 4 TB of stolen data.

UnitedHealth Group's Change Healthcare subsidiary was crippled by ALPHV BlackCat ransomware after the actors used credentials on a remote-access portal lacking multi-factor authentication. The incident disrupted U.S. healthcare claims and pharmacy processing for weeks and ultimately involved a roughly $22 million ransom payment that the operators kept rather than sharing with the affiliate who conducted the intrusion.

U.S. and partner agencies (UK NCA, Europol, Germany, Denmark, Spain, Australia) executed a coordinated disruption of ALPHV BlackCat, seizing several Tor sites and releasing a decryptor developed with the help of a confidential source who provided access to the affiliate panel. The FBI said the tool had already helped roughly 500 victims avoid an estimated $68 million in ransom demands.

FBI, CISA, and HHS released joint Cybersecurity Advisory AA23-353A detailing TTPs and IOCs for the ALPHV BlackCat RaaS, including the February 2023 'Sphynx' 2.0 rewrite that added Linux and VMware ESXi targeting. The advisory was updated on 27 February 2024 to note that, after early-December 2023 law enforcement action, the administrator urged affiliates to target the healthcare sector.

MITRE ATT&CK records the BlackCat (a.k.a. ALPHV, Noberus) ransomware-as-a-service as first observed in November 2021. Written in Rust, it was among the first cross-platform ransomware families to ship native Windows, Linux, and ESXi builds, and is linked by researchers to the BlackMatter / DarkSide lineage.