BIPI
BIPI

ALPHV/BlackCat: The Rust-Written RaaS That Exit-Scammed Its Own Affiliate

Threat Intelligence

ALPHV/BlackCat ran the most technically sophisticated RaaS of 2022-2024 and ended its run by stealing $22M from its own affiliate after the Change Healthcare attack. The story is a masterclass in how trustless e-crime really is.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 14, 2024 · 9 min read

#alphv#blackcat#ransomware#raas

ALPHV, also known as BlackCat or Noberus, was the most technically advanced ransomware-as-a-service operation of its era. The crew shipped Rust binaries, ran an affiliate panel that looked like a SaaS product, and ultimately collapsed in March 2024 in an exit scam against its own affiliate after the largest healthcare ransomware payment in US history. The technical legacy and the business-model lesson are both worth studying.

Actor Profile

ALPHV emerged in November 2021 and was widely assessed as a rebrand of the BlackMatter and earlier DarkSide operations, themselves rebrands. Tracked by FBI as ALPHV/BlackCat. The Rust implementation of the locker was a meaningful technical advance: cross-platform builds (Windows, Linux, ESXi), low AV detection rates at launch, and per-victim configuration via JSON token.

Attribution caveat: the rebrand chain (DarkSide to BlackMatter to ALPHV) is well-documented for the core operators, but affiliate composition shifted over time. ALPHV affiliates included Scattered Spider/UNC3944 elements.

TTPs

ALPHV's tooling was distinctive enough that the affiliate variations are visible in the technical telemetry.

  • Initial access via affiliates: phishing, SocGholish, exposed RDP, ConnectWise ScreenConnect (CVE-2024-1709)
  • Rust locker with ChaCha20+RSA-OAEP encryption and a configurable inclusion/exclusion list
  • ESXi targeting with shutdown of running VMs before encryption (MITRE T1486 on virtualization layer)
  • Munchkin: a separate Rust loader used to evade detection by running the locker inside a stripped-down Linux VM on the victim
  • Data exfiltration via rclone, ExMatter, and a bespoke ALPHV-branded leak site with searchable victim data

Notable Victims

MGM Resorts (affiliate-led, attributed to Scattered Spider/UNC3944 working under ALPHV), Caesars Entertainment, Reddit (data theft only), Henry Schein, multiple oil and gas firms, Prudential Financial, and most consequentially Change Healthcare in February 2024. The Change Healthcare attack disrupted US pharmacy claims processing for weeks and resulted in a confirmed $22M ransom payment from UnitedHealth Group.

ALPHV stole the $22M from its own affiliate. The RaaS economy runs on no honor at all.

Detection Signals

Detection signatures evolved fast because ALPHV affiliates varied widely. The most reliable signals were on ESXi and on data staging.

  • Unauthorized SSH sessions on ESXi hosts followed by mass vmsvc /shutdown commands
  • Munchkin Linux VM creation on Windows hosts (Hyper-V or VirtualBox spawning unexpected guests)
  • ExMatter or rclone outbound transfers to MEGA, Backblaze B2, or attacker S3 buckets in 100GB+ chunks
  • Token-based ALPHV locker execution: command line containing an --access-token argument and JSON config
  • Leak site monitoring: appearance of victim data on the ALPHV blog (now defunct, but successor sites continue the pattern)

Defensive Controls

ALPHV's specific tooling is gone, but the affiliate operators and the playbook are not. They are now working under RansomHub, BlackSuit, Qilin, and Cicada3301.

  1. Harden ESXi: disable SSH by default, enable Lockdown Mode, require vCenter MFA, patch on vendor cadence.
  2. Treat ConnectWise, AnyDesk, and other RMM tools as adversary infrastructure unless explicitly inventoried and monitored.
  3. Encrypt and segment backups with separate auth boundaries. ALPHV affiliates routinely deleted Veeam and Cohesity backups pre-encryption.
  4. Subscribe to the FBI CSA and CISA advisories on ALPHV and RansomHub. The IOCs continue to pay off post-takedown.
  5. Test paying-versus-not pre-incident. The Change Healthcare case showed that even paying does not guarantee data deletion when the affiliate gets stiffed by the operator.

ALPHV/BlackCat is a closed chapter as a brand and an open one as a set of operators and affiliates. The technical lessons (Rust cross-platform lockers, ESXi targeting, RMM abuse) are now standard across the ransomware ecosystem. The business lesson (a $22M exit scam against an affiliate operating against the US healthcare system) is the part the industry has barely metabolized.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.