Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Malware

S1068

BlackCat

Type

Ransomware

Associated threat actors

Scattered Spider, Ransomware-as-a-Service affiliates

Key Capabilities

Encrypts files with ChaCha20 or AES. Steals data for double extortion. Deletes shadow copies. Clears event logs to hide activity.

OS Targeted

Windows, Linux, VMware ESXi

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for BlackCat

What is BlackCat?

BlackCat (S1068), also known as ALPHV, is a highly adaptable ransomware strain written in Rust. Emerging in late 2021, it was one of the first major ransomware families to use Rust, allowing attackers to target both Windows and Linux systems with a single customized tool.

Operating as a Ransomware-as-a-Service (RaaS), affiliates used the malware to rapidly locate and steal sensitive data before executing the encryption payload. The software actively sabotages recovery efforts by stopping virtual machine services, deleting local volume shadow copies, and clearing Windows event logs to erase the attacker’s tracks. Attackers then rely on double extortion to force payment.

While highly successful, the core ALPHV infrastructure is defunct. Following a massive attack on Change Healthcare in early 2024, the developers orchestrated an exit scam, stole their affiliates’ ransom payments, and shut down operations. Prominent affiliates like Scattered Spider subsequently migrated to RansomHub (S1212).

Security teams still encounter BlackCat Indicators of Compromise (IoCs). Although the primary cartel is dead, the BlackCat encryptor software leaked onto dark web forums. Lower-tier cybercriminals continue to reuse the abandoned code in isolated attacks, and new threat groups frequently recycle historical BlackCat infrastructure.

How to Defend Against BlackCat?

Defending against BlackCat requires strong access controls, resilient offline backups, and continuous network monitoring.

  • Secure remote access: Attackers frequently use stolen credentials to enter the network. Enforce Multi-Factor Authentication (MFA) and use Lumu Discover to map and monitor your attack surface.
  • Maintain offline backups: BlackCat actively searches for and destroys local backups. You must store your most critical data offline to ensure you can restore operations without negotiating with criminals.
  • Deploy endpoint detection: Monitor your devices for suspicious administrative commands. Flag any process that attempts to clear Windows event logs or delete shadow copies.
  • Use network detection (NDR): Use tools like Lumu Defender to identify data exfiltration before encryption starts. Detect the subtle network beacons that BlackCat affiliates use to establish access.
  • Integrate threat intelligence: Use platforms like Lumu Maltiverse to stay updated on the latest BlackCat indicators. Block access to the malicious domains and IP addresses associated with ALPHV campaigns.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.