We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/BlackCat.B
Aliases: No associated aliases
Summary
BlackCat (also known as ALPHV) encrypts the data on a device, rendering the device inoperable or preventing access to data. The ransomware encrypts files, renders them inaccessible, and demands payment for the decryption key.
BlackCat is a highly configurable ransomware-as-a-service (RaaS) offering written in the Rust programming language and targeting Windows and Linux platforms. Threat actors gain access to compromised accounts and deploy this ransomware payload. BlackCat, like many other RaaS groups, encrypts files, exfiltrates data, and threatens to release the stolen data if the ransom demand is not met.
For more information about Cobalt Strike and other human-operated malware campaigns, read these blog posts:
The many lives of BlackCat ransomware
Human-operated ransomware
Ransomware as a service: Understanding cybercrime gig economy and how to protect yourself
Guidance for end users
To learn more about preventing ransomware or other malware from affecting individual devices, read about preventing malware infection.
Guidance for enterprise administrators
Ransomware more often attacks enterprises than individuals. Following these mitigation steps can help prevent ransomware attacks:
Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
Secure Remote Desktop Gateway using solutions like Microsoft Entra multifactor authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
Use the Microsoft Defender Firewall and your network firewall to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Defender for Office 365 customers should ensure that Safe Links protection is turned on for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
Educate end users about protecting personal and business information on social media, filtering unsolicited communication, identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.
