FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide

Systems Networks
Advisory ID:
April 25, 2022


The U.S. Federal Bureau of Investigation (FBI) has raised the alarm on the BlackCat ransomware-as-a-service (RaaS), which it said victimized at least 60 entities worldwide as of March 2022 since its emergence last November. The FBI disseminated known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ransomware variants identified through FBI investigations. BlackCat is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

Description & Consequence

BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts,
in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.

After successful exploitation, the BlackCat/ALPHV ransomware steals victim data prior to the ransomware's execution, including data from cloud providers where company or client data was stored. The actors use Windows scripting to distribute ransomware and compromise additional hosts.


The following are recommended to guide against BlackCat/ALPHV and other ransomware group:

  1. Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  2. Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  3. Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  4. Review antivirus logs for indications they were unexpectedly turned off.
  5. Implement network segmentation.
  6. Require administrator credentials to install software.
  7. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  8. Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  9. Use multifactor authentication where possible.
  10. Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  11. Implement the shortest acceptable timeframe for password changes.
  12. Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  13. Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  14. Install and regularly update antivirus and anti-malware software on all hosts.
  15. Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  16. Consider adding an email banner to emails received from outside your organization.
  17. Disable hyperlinks in received emails.


  1. https://thehackernews.com/2022/04/fbi-warns-of-blackcat-ransomware-that.html 
  2. https://www.ic3.gov/Media/News/2022/220420.pdf  


Related Articles