ALPHV / BlackCat (Noberus) Ransomware: Threat Actor Profile
ALPHV/BlackCat was the most technically polished Rust-based RaaS of its generation, taking nearly $300M from 1,000+ victims before the Change Healthcare attack and an apparent 2024 exit scam. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
ALPHV/BlackCat was the most technically polished Rust-based ransomware-as-a-service (RaaS) brand of its generation and, for a time, the second-most prolific ransomware variant in the world. The DOJ said victims paid hundreds of millions globally; the FBI later said more than 1,000 victims had paid nearly $300 million by September 2023.
ALPHV/BlackCat: at a glance
- Aliases: BlackCat, ALPHV, Noberus
- Country / affiliation: Russian-speaking criminal ecosystem
- Assessed status (as of July 2026): Brand largely inactive
- Primary objectives: Double extortion and affiliate monetization
- Financial destruction / gain: ~$300 million in ransom payments from more than 1,000 victims by September 2023; broader global losses in the hundreds of millions
- Type: ransomware-as-a-service (RaaS) (Rust-based double extortion)
Who is ALPHV/BlackCat?
The group's 2024 Change Healthcare episode — one of the most disruptive healthcare cyberattacks in U.S. history — appears to have ended in an exit scam, after which the public ALPHV brand largely disappeared. Its affiliates and related crews continued to circulate under new names.
Aliases and attribution
ALPHV is widely assessed as a successor to the BlackMatter/DarkSide lineage within the Russian-speaking cybercrime ecosystem. Vendors track it as BlackCat and Noberus. After the FBI's late-2023 disruption and the DOJ's action against the operation, the group re-emerged briefly before the Change Healthcare exit scam collapsed the brand — a case study in the fluid threat actor identities of the RaaS world.
Financial impact and damage
The FBI attributed nearly $300 million in payments from 1,000+ victims to ALPHV by September 2023. The February 2024 attack on Change Healthcare — which processes a large share of U.S. medical claims — caused multi-billion-dollar disruption across the healthcare payment system and reportedly involved a $22 million ransom that preceded the group's apparent exit scam against its own affiliate.
ALPHV/BlackCat timeline
- 2021: BlackCat first observed
- 2023: 1,000+ victims; FBI/DOJ disruption and decryptor release
- 2024: Change Healthcare attack and alleged $22M payment
- 2024: Suspected exit scam and brand collapse
Notable attacks and campaigns
BlackCat was among the first major ransomware families written in Rust, enabling cross-platform encryption of Windows, Linux, and VMware ESXi. The Change Healthcare attack demonstrated systemic risk — a single healthcare-technology compromise rippling across pharmacies and providers nationwide. The subsequent exit scam, in which ALPHV allegedly kept an affiliate's cut, hastened the brand's demise.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1548.002 — Bypass UAC: ATT&CK documents UAC bypass in BlackCat. Watch for elevated COM and UAC-bypass chains from newly dropped binaries.
- T1087.002 — Domain Account Discovery: BlackCat performs net use-style domain-user enumeration. Hunt for rapid account enumeration from newly compromised hosts.
- T1486 — Data Encrypted for Impact: BlackCat encrypts Windows, Linux, and VMware instances. Separate hypervisor management, harden ESXi, and alert on cross-platform simultaneous encryption.
Detection and defense against ALPHV/BlackCat
BlackCat's cross-platform, ESXi-capable encryption makes hypervisor and identity hardening essential:
- Harden and isolate VMware ESXi / vCenter management planes.
- Watch for UAC-bypass and elevated-COM chains from newly dropped binaries.
- Detect rapid domain-account enumeration from newly compromised hosts.
- Alert on cross-platform simultaneous encryption across Windows, Linux, and ESXi.
- Enforce MFA and monitor third-party / healthcare-technology dependencies for systemic risk.
The bottom line
ALPHV/BlackCat proved how technically sophisticated — and how treacherous — modern RaaS can be, collapsing its own brand in an exit scam after inflicting billions in healthcare disruption. See how ALPHV/BlackCat ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is ALPHV / BlackCat ransomware?
ALPHV (also called BlackCat or Noberus) was a Russian-speaking ransomware-as-a-service operation, notable as one of the first major Rust-based ransomware families capable of encrypting Windows, Linux, and VMware ESXi systems.
How much did ALPHV / BlackCat make?
The FBI said more than 1,000 victims had paid nearly $300 million to ALPHV by September 2023, with broader global losses in the hundreds of millions.
What was the Change Healthcare attack?
In February 2024, an ALPHV affiliate attacked Change Healthcare, disrupting U.S. medical claims processing nationwide. It reportedly involved a $22 million ransom and preceded ALPHV's apparent exit scam.
Is BlackCat still active?
The public ALPHV/BlackCat brand largely collapsed after the 2024 exit scam, but its affiliates and tradecraft dispersed into other ransomware operations.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: