The Red Report 2025

The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries.

The ALPHV ransomware group, also known as BlackCat, emerged in November 2021 as a sophisticated cybercrime organization operating under a Ransomware-as-a-Service (RaaS) model. In February 2024, they attacked UnitedHealth Group's subsidiary, Change Healthcare, leading to significant disruptions in the U.S. healthcare sector. UnitedHealth paid a $22 million ransom to ALPHV following the attack. The breach compromised the personal information of over 100 million individuals, marking the largest healthcare data breach in U.S. history. The U.S. Department of State has offered rewards of up to $10 million for information leading to the identification or location of ALPHV/BlackCat leaders.

In this blog, we are going to deep dive into the tactics, techniques, and procedures of the ALPHV ransomware group.

The Analysed Malware Sample of BlackCat (ALPHV) Ransomware

The analysis focused on the “Asss1exe.bin” file, whose SHA256 hash can be directly accessed on VirusTotal for manual research. As of the end of January 2025, the malware is still under active analysis, indicating that it continues to be actively used by adversaries.

Observed Names of the Malicious File:

Asss1.exe.bin
847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456.exe (named after hash of the file)
Blackcat.exe, Blackcat.bin, BlackCat.bin
Trojan-Ransom.Win32.BlackCat.exe
362.vir

SHA256: 847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456

Affiliates and Ransomware-as-a-Service Model of the ALPHV Ransomware Group

BlackCat operates as a Ransomware-as-a-Service (RaaS) platform, allowing other cybercriminals to use its ransomware in exchange for a share of the profits. While most RaaS models let affiliates retain about 70% of their earnings, BlackCat offers a more generous share, allowing affiliates to keep 80-90% of their profits [1].

According to researchers, this revenue model acts as a powerful advertising tool. While other groups rely on marketing teams or posts on cybercrime forums to attract attention, BlackCat’s higher profit margins generate organic interest and promote the operation through word-of-mouth among affiliates.

However, this strategy has significant implications for potential victims. The affiliates are observed to reinvest their earnings into expanding their operations. By renting more services from BlackCat or hiring other cybercriminals, they can scale their attacks, resulting in greater harm to organizations. This cycle of reinvestment amplifies the overall impact of BlackCat’s operation.

Notable Cyber Incidents & Victimology of the BlackCat/ALPHV Ransomware Group

The ALPHV ransomware group, also known as BlackCat, has been linked to several significant cyber incidents, demonstrating their evolving tactics and the substantial impact of their operations.

Notable cases include:

Change Healthcare Breach (February 2024): In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack attributed to the BlackCat group. This breach compromised the personal information of over 100 million individuals, making it the largest healthcare data breach in U.S. history. The stolen data included health insurance member IDs, patient diagnoses, treatment information, and Social Security numbers. UnitedHealth paid a $22 million ransom in response to the attack [2].
Reddit Data Breach (February 2023): In February 2023, Reddit experienced a security incident where BlackCat claimed to have stolen 80 GB of compressed data [3]. The group demanded a $4.5 million ransom for the data's return. Unlike typical ransomware attacks, this incident did not involve data encryption but focused on data exfiltration and extortion.
MGM Resorts and Caesars Entertainment Attacks (September 2023): In September 2023, BlackCat, in collaboration with the Scattered Spider group, launched ransomware attacks against major casino operators MGM Resorts International and Caesars Entertainment [4]. Caesars paid a $15 million ransom, while MGM chose not to pay, leading to system shutdowns and an estimated financial impact of $100 million in the third quarter of 2023.

Analyzing BlackCat Ransomware's Advanced Tactics, Techniques, and Procedures (TTPs)

This section provides a comprehensive analysis of these TTPs, offering insights into how BlackCat/ALPHV Ransomware operates and the tools they employ.

Initial Access - ATT&CK TA0001

Phishing for Information - MITRE T1598

ALPHV/BlackCat affiliates conduct thorough open-source intelligence gathering to impersonate IT support staff. They leverage this knowledge to contact employees through phone calls and SMS messages, creating convincing scenarios that appear to require urgent technical support interaction.

Account Access Development - MITRE T1586

Through these impersonation efforts, the threat actors manipulate employees into providing their network credentials. By posing as internal IT personnel and creating realistic support scenarios, they obtain valid credentials that provide them with legitimate initial access to the target network.

Execution - ATT&CK TA0002

Command and Scripting Interpreter: Windows Command Shell - MITRE T1059.003

Malware, “847fb7…”.exe (truncated for better readability) is executed via the command line with specific parameters that dictate its behavior and execution [5].

The example syntax for malware to be executed is as follows.

Blackcat.exe --access-token <ACCESS_TOKEN>

One of the primary execution parameters is the access token, which is a 32-byte value required for the malware to run. If an invalid access token is provided, the malware will output error messages, such as:

C:\Users\Desktop>Blackcat.exe Invalid access token.
C:\Users\Desktop>Blackcat.exe --access-token 678910 invalid config.

This highlights the importance of providing a valid access token for successful execution.

In addition to the access token, the malware accepts several command-line parameters, each controlling different functionalities. Key parameters and their associated purposes include:

--help # Display usage information
--access-token # Required 32-byte token
--child # Run as child process
--paths # Target specific paths
--propagated # Run as propagated process
--no-net # Disable network share discovery
--no-prop # Disable self-propagation
--no-vm-kill # Prevent VM termination
--verbose # Enable console logging

The malware also provides features for user-initiated execution, making it more flexible in its deployment:

--drag-and-drop # Support for drag and drop execution
--drop-drag-and-drop-target # Create drag and drop target file

In terms of Living off the Land Binaries (LoLBins), the malware takes advantage of legitimate Windows utilities to carry out critical system commands. This approach is useful for evading detection, as the commands appear as normal system operations. By utilizing native command shells, the malware maintains high privileges while executing malicious activities.

Some of the commands run by the malware are given as follows. More of the examples are also provided throughout the blog.

# Retrieve the UUID of the system's product (Hardware identifier)
cmd.exe /c "wmic csproduct get UUID"

# Set Symlink Evaluation behavior for remote-to-local (R2L) symlinks to enabled (1)
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1"

# Stop IIS (Internet Information Services) web server if it is running
cmd.exe /c "iisreset.exe /stop"

# Modify the boot configuration to set the default boot entry
cmd.exe /c "bcdedit /set {default}"

By using these legitimate system tools, the malware blends in with normal operations while maintaining the necessary privileges to carry out its objectives, such as network discovery, system modification, and process manipulation. This makes detection and mitigation more challenging for security defenses.

Native API - MITRE T1106

Malware extensively uses Windows API for core operations

CreateFileW() API Call & Key Usage by Malware

CreateFileW(0x40000000 = GENERIC_WRITE, 0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE | FILE_SHARE_READ)
# Opening target files for encryption with GENERIC_READ | GENERIC_WRITE access (0xC0000000)
# Creating ransom notes in each directory with GENERIC_WRITE (0x40000000)
# Opening renamed encrypted files with shared access rights (0x7)

These permissions ensure the malware can fully control file operations while maintaining shared access.

ReadFile() API Call & Key Usage by Malware

# Read the first 4 bytes of target files
# Read file content chunks for encryption
# Read output from named pipes for process communication
\\.\pipe\__rust_anonymous_pipe1__.<Process ID>.<Random number

WriteFile() API Call & Key Usage by Malware

# Write the 4-byte border marker (19 47 B2 CE): A 4-byte border "19 47 B2 CE" that separates the encrypted file content from the encrypted AES key is written to the file

[Encrypted AES Key] [19 47 B2 CE] [Encrypted File Content]

# Place ransom notes in directories

# Write encrypted content back to files
# Write the encrypted AES key (encrypted with RSA): The buffer that contains the AES key is encrypted with the RSA public key from the BlackCat configuration. The result is written to the file using WriteFile

Ransomware Note Left by BlackCat Ransomware

CreateThread() API Call & Key Usage by Malware

# Creates multiple threads for parallel processing: The threads are created with STACK_SIZE_PARAM_IS_A_RESERVATION (0x00010000) parameter
# Enables simultaneous encryption of multiple files
# Improves encryption speed through multi-threading

Persistence - ATT&CK TA003

Modify Registry - MITRE T1112

The malware modifies specific registry values to optimize its network operations for lateral movement and mass file encryption across network shares.

Maximizes SMB request handling capacity:

The implementation of this registry modification directly impacts the system's ability to handle SMB (Server Message Block) requests by maximizing the number of simultaneous connections that can be processed. By setting the MaxMpxCt value to its highest possible value, 65535, the system can handle up to 65,535 concurrent SMB requests. This significantly increases the network throughput and allows for faster file access and communication across the network, which is critical for operations such as lateral movement and file encryption.

The registry change is made by executing the following command:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f

Purpose:

Increases the maximum number of simultaneous SMB requests that can be processed
Facilitates faster network enumeration and file encryption across shares
Supports efficient lateral movement using stolen credentials

Sequence of operations:

Sets MaxMpxCt to maximum (65535)
Enumerates network using "arp -a"

cmd.exe /c "arp -a"

Connects to shares using "net use" with stolen credentials

net use \\[target_ip]\[share_name] /user:[username] [password]

Launches child processes for lateral movement

Privilege Escalation - ATT&CK TA004

Access Token Manipulation - MITRE T1134

The malware manipulates access tokens to gain extensive system privileges, enabling it to perform system-wide modifications and access protected resources. This broad access is essential for comprehensive encryption and system manipulation.

Enables extensive privileges:

SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
[... and others]

Valid Accounts - MITRE T1078

The BlackCat malware stores its configuration in a JSON format, which is decrypted at runtime. This configuration file contains stolen credentials specific to the victim's environment, allowing the malware to authenticate itself across the network. The malware uses these credentials to make connections to network shares and further compromise the system.

One of the key methods used by BlackCat to establish connections is through the net use command. This command allows the malware to create SMB connections to network shares using the stolen credentials.

The following command is executed by the malware:

net use \\<computer_name> /user:<username> <password>

Purpose:

Creates SMB connections to network shares
Uses stored credentials for authentication
Makes connections appear as legitimate user activity

By leveraging valid credentials, BlackCat is able to move laterally within the network, escalate privileges, and carry out its malicious objectives while blending in with legitimate network traffic.

Defense Evasion - ATT&CK TA0005

Disable or Modify Tools - MITRE T1562.001

The malware systematically disables system recovery and logging mechanisms to prevent system restoration and hide its activities.

Disabling Windows Event Logging:

cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1

This command is designed to clear all Windows Event Logs from the system. It works by first using the wevtutil.exe el command to list all available event logs on the system. Then, for each log found, it runs the wevtutil.exe cl command to clear the contents of that log. Essentially, the command iterates through all event logs (e.g., Application, Security, System logs, etc.) and deletes their contents, leaving them empty.

This command is highly problematic as it can cripple forensic investigations and make it nearly impossible to trace malicious actions or identify the root cause of security breaches.

Abuse Elevation Control Mechanism - UAC Bypass: T1548.002

By bypassing User Account Control through the CMSTPLUA COM interface, the malware gains administrative privileges without triggering security prompts. This stealthy elevation of privileges is crucial for performing system-wide encryption and modifications. Breakdown of the technique is as follows:

CMSTPLUA COM Interface:

The CMSTPLUA interface allows for the launching of processes with elevated privileges without triggering the usual UAC prompt. By using this interface, malware can silently gain administrative privileges on the system.

Initializing COM Library:

The below function call is part of the COM (Component Object Model) initialization process. It ensures the proper threading model is set for COM objects, allowing the malware to interact with COM interfaces correctly, including the auto-elevated CMSTPLUA interface.

CoInitializeEx(0x2 = COINIT_APARTMENTTHREADED)

Using the Auto-elevated CMSTPLUA COM Interface with CLSID:

The CLSID (Class Identifier) refers to a unique identifier for the COM object that facilitates the elevation of privileges. By invoking this CLSID, malware can execute commands with higher privileges without the typical UAC prompts.

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

This method is often used by attackers to bypass UAC, gaining administrative access to the system and enabling them to perform actions such as system-wide encryption (e.g., in ransomware attacks) or making other unauthorized modifications.

Discovery - ATT&CK TA0007

Process Discovery - MITRE T1057

The malware enumerates running processes to identify security tools and other processes that might interfere with its operation, allowing it to target them for termination.

CreateToolhelp32Snapshot(0xF = TH32CS_SNAPALL)
Process32FirstW()
Process32NextW()

System Information Discovery - MITRE T1082

The malware gathers detailed system information to customize its attack and ensure maximum impact. This reconnaissance helps identify valuable targets and optimize the encryption strategy.

GetSystemInfo()
wmic csproduct get UUID

Impact - ATT&CK TA0040

The following actions are commonly employed by attackers to prevent recovery of a compromised system, thereby increasing the likelihood that the victim will be unable to restore from backups or perform a system recovery.

Inhibit System Recovery - MITRE 1490

# Delete all shadow copies on the system silently (without prompts)
cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"

# Delete all shadow copies using the WMIC tool
cmd.exe /c "wmic.exe Shadowcopy Delete"

Delete Shadow Copies: The commands vssadmin.exe Delete Shadows /all /quiet and wmic.exe Shadowcopy Delete silently delete all shadow copies on the system.

Shadow copies are often used for backups and system restore points, so their deletion hampers the ability to recover files or restore the system to a previous, uninfected state.

# Disable recovery options (to stop automatic system recovery at boot)
cmd.exe /c "bcdedit /set {default} recoveryenabled No"

Disable Recovery Options: The command bcdedit /set {default} recoveryenabled No disables the Windows recovery options, preventing the system from automatically attempting recovery or repair at boot.

This makes it much harder for an administrator or user to initiate a recovery process if the system becomes unstable or compromised.

Data Encrypted for Impact - MITRE T1486

The core ransomware functionality encrypts victim data using a sophisticated encryption scheme, making files inaccessible without the decryption key. This creates urgency and pressure to pay the ransom.

Encryption Implementation:

Uses AES-128 algorithm with aesenc and aesenclast instructions
Encrypts the AES key with RSA public key from configuration
Writes encrypted content back to files

File Processing:

Adds 4-byte file marker: "19 47 B2 CE" to separate encrypted content from encrypted AES key
Changes file extensions to .uhwuvzu
Creates intermediary files named "checkpoints-<encrypted file name>" during encryption process

Key Management:

Generates 16 random bytes for AES key derivation
Encrypts the key info in JSON format including cipher type and chunk size
Uses 80 random bytes as border for the JSON data

Service Stop - MITRE T1489

By stopping critical services, the malware ensures files are unlocked for encryption and disrupts business operations, increasing pressure on victims to pay quickly.

OpenSCManagerW(0xF003F = SC_MANAGER_ALL_ACCESS)

Used to open the Service Control Manager (SCM) with full access rights, allowing the malware to interact with and control services on the system. The SC_MANAGER_ALL_ACCESS permission grants the ability to query, start, stop, and delete services.

EnumServicesStatusExW(0x30 = SERVICE_WIN32, 0x1 = SERVICE_ACTIVE)

Enumerates the list of active Win32 services on the system. The parameters SERVICE_WIN32 and SERVICE_ACTIVE filter the results to only show running services that are of the Win32 type and currently active, identifying critical system services that could be targeted for stoppage.

ControlService(0x1 = SERVICE_CONTROL_STOP)

Once the malware identifies active services, it sends the SERVICE_CONTROL_STOP command to stop them. This effectively disables the service, potentially unlocking files or preventing essential operations from running. Stopping key services (like file sharing or antivirus) increases the impact of ransomware or malware by making files accessible for encryption and interfering with the system's normal function.

By stopping essential services, the malware not only disrupts business operations but also forces the victim into a position where they may feel pressured to pay a ransom to restore functionality, especially if the affected services are vital for daily operations. This technique is particularly effective in increasing the chances of a successful attack and extortion.

How Does Picus Help Against BlackCat (a.k.a ALPHV) Ransomware Threat Group?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.

Picus Threat Library includes the following threats for BlackCat (a.k.a ALPHV) Ransomware.

Threat ID	Threat Name	Attack Module
75742	BlackCat Ransomware Campaign	Windows Endpoint
93524	BlackCat Ransomware Campaign	Linux Endpoint
54213	BlackCat Ransomware Download Threat	Network Infiltration
92332	BlackCat Ransomware Email Threat	E-mail Infiltration

Defense Strategies Against the BlackCat Ransomware Group

The BlackCat (ALPHV) ransomware group has been a significant threat to organizations worldwide. To defend against this sophisticated adversary, consider implementing the following strategies:

Regular Software Updates and Patch Management: Ensure that all systems, applications, and devices are consistently updated to mitigate vulnerabilities that BlackCat exploits. Promptly applying security patches can prevent unauthorized access.
Advanced Endpoint Detection and Response: Deploy EDR, XDR, IDS solutions capable of detecting and responding to suspicious activities indicative of BlackCat attacks. These tools can identify anomalies and provide real-time alerts, enabling swift incident response.
User Awareness and Training: Conduct regular training sessions to educate employees about phishing tactics and social engineering methods commonly used by BlackCat. Empowered staff are less likely to fall victim to deceptive schemes.
Network Segmentation and Least Privilege Access: Implement network segmentation to limit lateral movement within your infrastructure. Enforce least privilege access controls to ensure users and applications have only the permissions necessary for their roles, reducing the potential impact of a breach.
Comprehensive Backup and Recovery Plans: Maintain regular, encrypted backups stored offline or in immutable formats. A robust backup strategy ensures that, in the event of a ransomware attack, critical data can be restored without succumbing to ransom demands.

By adopting these measures, organizations can enhance their resilience against BlackCat ransomware and other evolving cyber threats.

Conclusion

In conclusion, the ALPHV (BlackCat) ransomware group has emerged as a highly sophisticated and disruptive threat in the cybercriminal landscape. With its advanced tactics, techniques, and procedures (TTPs), BlackCat has caused severe damage across various industries, particularly healthcare, by exploiting vulnerabilities for maximum financial gain. Their Ransomware-as-a-Service model has amplified their reach, enabling affiliates to scale attacks and intensify their impact. The group's use of advanced encryption, lateral movement, and evasion techniques highlights the growing need for robust cybersecurity defenses. Organizations must adopt proactive measures and simulate attacks to identify vulnerabilities and strengthen their defenses against such evolving threats.

Indicators of Compromise (IOCs)

SHA256 Hashes

0073414C5A03B20F6F255F400291DE67F2A7268C461F90EA6FF0355CA31AF07A
0C6F444C6940A3688FFC6F8B9D5774C032E3551EBBCCB64E4280AE7FC1FAC479
13828B390D5F58B002E808C2C4F02FDD920E236CC8015480FA33B6C1A9300E31
15B57C1B68CD6CE3C161042E0F3BE9F32D78151FE95461EEDC59A79FC222C7ED
1AF1CA666E48AFC933E2EDA0AE1D6E88EBD23D27C54FD1D882161FD8C70B678E
1B9E17BFBD292075956CC2006983F91E17AED94EBBB0FB370BF83D23B14289FA
2020CAE5115B6980D6423D59492B99E6AAA945A2230B7379C2F8AE3F54E1EFD5
21162BBD796AD2BF9954265276BFEBEA8741596E8FE9D86070245D9B5F9DB6DA
25172A046821BD04E74C15DC180572288C67FDFF474BDB5EB11B76DCE1B3DAD3
28D7E6FE31DC00F82CB032BA29AAD6429837BA5EFB83C2CE4D31D565896E1169
28F5E949ECAD3606C430CEA5A34D0F3E7218F239BCFA758A834DCEB649E78ABC
29549B75A198AD3AEE4F8B9EA328BC9A73EB0E0D07E36775438BBE7268D453F9
2CF54942E8CF0EF6296DEAA7975618DADFF0C32535295D3F0D5F577552229FFC
3298629DE0489C12E451152E787D294753515855DBF1CE80BFCDED584A84AC62
3336BFDE9B6B8EF05F1D704D247A1A8FD0641AFAECC6A71F5CFA861234C4317B
38834B796ED025563774167716A477E9217D45E47DEF20FACB027325F2A790D1
39EC2834494F384028AD17296F70ED6608808084EF403714CFBC1BFBBED263D4
3D7CF20CA6476E14E0A026F9BDD8FF1F26995CDC5854C3ADB41A6135EF11BA83
4103CC8017409963B417C87259AF2A955653567CDBF7D5504198DD350F9EF9C1
457A2F29D395C04A6AD6012FAB4D30E04D99D7FC8640A9EE92E314185CC741D3
4D7DA1654F9047B6C6A9D32564A66684407ED587CBAFFA54EC1185FD73293D3E
4E18F9293A6A72D5D42DAD179B532407F45663098F959EA552AE43DBB9725CBF
4EE4E1E2CEDF59A802C01FAE9CCFCFDE3E84764C72E7D95B97992ADDD6EDF527
4EF1009923FC12C2A3127C929E0AA4515C9F4D068737389AFB3464C28CCF5925
53F5C2F70374696FF12ADCAAF1BBBE0E5DD1B1995D98F2E876B0671888B43128
59868F4B346BD401E067380CAC69080709C86E06FAE219BFB5BC17605A71AB3F
5BAB2BC0843F9D5124B39F80E12AD6D1F02416B0340D7CFEC8CF7B14CD4385BF
5D1817065266822DF9FA6E8C5589534E031BB6A02493007F88D51A9CFB92E89B
5DC8B08C7E1B11ABF2B6B311CD7E411DB16A7C3827879C6F93BD0DAC7A71D321
5F7D438945306BF8A7F35CAB0E2ACC80CDC9295A57798D8165EF6D8B86FBB38D
5FAC60F1E97B6EAAE18EBD8B49B912C86233CF77637590F36AA319651582D3C4
68BCE3A400721D758560273AE024F61603B8A4986440A8EC9E28305D7E6D02B0
6A6CD64FBA34AADAD2DF808B0FCAB89EF26A897040268B24FED694036CC51D6A
6DABCF67C89C50116C4E8AE0FAFB003139C21B3AF84E23B57E16A975B7C2341F
6F3A02674B6BBF05AF8A90077DA6E496CC47DDA9101493B8103F0F2B4E4FD958
726F038C13E4C90976811B462E6D21E10E05F7C11E35331D314C546D91FA6D21
731ADCF2D7FB61A8335E23DBEE2436249E5D5753977EC465754C6B699E9BF161
73C19EAB8D2AE58DB3968DD7DE0E745DB2D7709859305B113B748BB02494465E
74464797C5D2DF81DB2E06F86497B2127FDA6766956F1B67B0DCEA9570D8B683
7B2449BB8BE1B37A9D580C2592A67A759A3116FE640041D0F36DC93CA3DB4487
7D2E705DCAA9F36FB132B7FF329F61DD5D0393C28DCD53B2BE1E3BA85C633360
7E363B5F1BA373782261713FA99E8BBC35DDDA97E48799C4EB28F17989DA8D8E
80DD44226F60BA5403745BA9D18490EB8CA12DBC9BE0A317DD2B692EC041DA28
8DD64EA7F226D3EB1E857B0086C0668542652CB37F8142DC000272DBD9569E31
937D07239CBFEE2D34B7F1FAE762AC72B52FB2B710E87E02FA758F452AA62913
94D6395DCAB01250650E884F591956464D582A4F1F5DA948055E6D2F0A215ACE
9514035FEA8000A664799E369AE6D3AF6ABFE8E5CDA23CDAFBEDE83051692E63
9C5B233EFB2E2A92A65B5EE31787281DD043A342C80C7AC567CCF43BE2F2843F
9D346518330EEEFBF288AECA7B2B6243BC158415C7FEE3F2C19694F0E5F7D51C
B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
BC49622009B29C23EE762FE6F000936EB1C4C1B29496D5382F175C99AD941AAC
BD337D4E83AB1C2CACB43E4569F977D188F1BB7C7A077026304BF186D49D4117
BD4876F7EFBD18A03BBB401A5DC77ED68EF95C72A3F7BE83CEF39A4515E0C476
C2DDB954877DCFBB62FD615A102CE5FA69F4525ABC1884E8FE65B0C2B120CFD4
C34C5DD4A58048D7FD164E500C014D16BEFA956C0BCE7CAE559081D57F63A243
C3E5D4E62AE4ECA2BFCA22F8F3C8CBEC12757F78107E91E85404611548E06E40
C3F8EBC9CFB7EBE1EBBE3A4210753B271FECF73392FEF98519B823A3E7C056C7
C8B3B67EA4D7625F8B37BA59EED5C9406B3EF04B7A19B97E5DD5DAB1BD59F283
CD0E941587672AB1517681A7E3B4F93A00020F8C8C8479A76B9E3555BCD04121
CEFEA76DFDBB48CFE1A3DB2C8DF34E898E29BEC9B2C13E79EF40655C637833AE
D15CAB3901E9A10AF772A0A1BDBF35B357EE121413D4CF542D96819DC4471158
D72766A868FEF87C0C073C1EC3B6A92B7DAED7313B81EE6523386049F768B09D
D8F51DCFE928A1674E8D88029A404005AB826527372422CAC24C81467440FEB0
DFA8C282178A509346FB0154E6DBD5FBB0B56C38894CE7D244F5CA26D6820E67
E14BA0FB92E16BB7DB3B1EFAC4B13AEE178542C6994543E7535D8EFAA589870C
EA1792F689BFE5AD3597C7F877B66F9FCF80D732E5233293D52D374D50CAB991
F815F5D6C85BCBC1EC071DD39532A20F5CE910989552D980D1D4346F57B75F89
F837F1CD60E9941AA60F7BE50A8F2AAAAC380F560DB8EE001408F35C1B7A97CB
F8C08D00FF6E8C6ADB1A93CD133B19302D0B651AFD73CCB54E3B6AC6C60D99C6
FAB34D1F0F906F64F95B9F244AE1FE090427E606A9C808C720E18E93A08ED84D
FB242F64EDBF8AE36A4CF5A80BA8F21956409B448EB0380949BB9152373DB981

SHA1 Hashes

1B2A30776DF64FBD7299BD588E21573891DCECBE
1D345799307C9436698245E7383914B3A187F1EC
25EF7044CDF9B7C17253625A2BD5D2D6FEE44227
2741C136B92ACA1E890D2B67084C6867D3CBAA87
27ACB306BAEC022A974DB50A90F48183541E12FE
30C60F18279ED5FD36E3AC2D3BA5DDBDC5D1F624
37178DFACCBC371A04133D26A55127CF4D4382F8
39300863BCAAD71E5D4EFC9A1CAE118440AA778F
3A78CE27A7AA16A8230668C644C7DF308DE6CF33
3F85F03D33B9FE25BCFAC611182DA4AB7F06A442
41F47F8EE34C9AE7A4BB43B71E3CC85266302E8E
42B188E2E015A72ACCC50FCBDE2D2C81F5258D0B
448892D5607124FDD520F62FF0BC972DF801C046
4831C1B113DF21360EF68C450B5FCA278D08FAE2
514DDCF981D7D8684B3AC20E902F5017292D51C5
59791EC1C857D714F9B4AD6C15A78191206A7343
6F43E6388B64998B7AA7411104B955A8949C4C63
794203A4E18F904F0D244C7B3C2F5126B58F6A21
79818110ABD52BA14800CDFF39ECA3252412B232
7D130ACE197F4148932306FACFC8D71FA8738D86
8770132656D4F3D9B973848B89E96FC95D736179
8837AD1BAFB56019A46822DA0ED8B468F380C80D
8C70191B12F14EED594388C8FBE05EFE6EBAA564
9648559769179677C5B58D5619CA8872F5086312
994EDC8D183A1A7243790539044D12B80B1D5D84
A3E4FB487400D99E3A9F3523AEAA9AF5CF6E128B
AA8EBC0B00D116CFE46245E0BB4A0B5108AADC0F
B02DB8C2B9614E986E58F6E31BE686B418F9ABA7
B39C244C3117F516CE5844B2A843EFF1E839207C
BE8FD3C3507F02785DA6F12C9B21FF73638CDF23
C1187FE0EADDEE995773D6C66BCB558536E9B62C
C4CDE794CF4A68D63617458A60BC8B90D99823CA
C83DA151F26A58AECB24FC6BA4945ACB934EE954
D241DF7B9D2EC0B8194751CD5CE153E27CC40FA4
D38C613020CB4616783C8535380E28404F7EAEBF
E128B01745AE1CB0DE41C1B1C2E7271A172CF696
E1BC0C7CF030AF31522C1160E0C70DF5CECBB64A
E43ECD2F6859E4769028FBD7176BB3339393EA22
E51217EFB6E33FCA9F7C5F51E5C3A4AE50499A37
E6AB3C595AC703AFD94618D1CA1B8EBCE623B21F
E97B00EF58FE081170137536F28DF590DBB41A0E
F5F56413F81E8F4A941F53E42A90BA1720823F15
FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
FCE13DA5592E9E120777D82D27E06ED2B44918CF

MD5 Hashes

00C3F790F6E329530A6473882007C3E5
08FCF90499526A0A41797F8FDD67D107
09BC47D7BC5E40D40D9729CEC5E39D73
0B1882F719504799B3211BF73DFDC253
0DECFD5E200803523C0437FF7AAC7349
1138DE370E523E824BBCA92D049A3777
1329384DFDCFDE2228DA94E2A042F2B4
19E29534FD49DD27D09234E639C4057E
1BE7FE8E20F8E9FDC6FD6100DCAD38F3
1CA4CBAC895FC3BD12417B77FC6ED31D
204F028C983F654BE32B97E849EDEAAB
20855475D20D252DDA21287264A6D860
24701208C439B00A43908AE39BBF7DE8
26239FA16D0350B2224BFB07E37CBD84
275DE1EE6E9C11CB920C879BF6A21339
2B1B2B271BC78E67BECA2DCD04354189
394441AB65754E2207B1E1B457B3641D
3A4FDBC642A24A240692F9CA70757E9F
4232C065029EB52D1B4596A08568E800
47AE17D89C2D9B6ACDC7458F5DF1C6F7
4FF5625E6BD063811EC393B315D2C714
5548CAA3B8CDD73B3A56F3F102942882
5779CEC690B5BBC61687381AE8A8D518
581CFC2D4E02A16B9B2F8DCB70A46B8B
58393294F21C1006EFE854EFF1B652D5
58B4A4EED74FBFBF104D0FFD92207018
5CBB08CD26162E8046DF17D15BA6E907
637FB65A1755C4B6DC1E0428E69B634E
642BF60F06BB043C4A74D0501597CF5E
6C2874169FDFB30846FE7FFE34635BDB
6C6C46BDAC6713C94DEBBD454D34EFD9
72A589DA586844D7F0818CE684948EEA
7A1E7F652055C812644AD240C41D904A
7A4CB8261036F35FD273DA420BF0FD5E
7FF0241B28D766198743D661A2F67620
815BB1B0C5F0F35F064C55A1B640FCA5
82DB4C04F5DCDA3BFCD75357ADF98228
84E3B5FE3863D25BB72E25B10760E861
861738DD15EB7FB50568F0E39A69E107
91625F7F5D590534949EBE08CC728380
99D8C3E7806D71A2B6B28BE525C8E10E
9F2309285E8A8471FCE7330FCADE8619
9F60DD752E7692A2F5C758DE4EAB3E6F
A0E9F5D64349FB13191BC781F81F42E1
A106C1236357C315722DDBD985C5613C
A768244CA664349A6D1AF84A712083C0
BF15A998FD84BEE284AE9F7422BDA640
C12F54A3F91DC7BAFD92CB59FE009A35
C737A137B66138371133404C38716741
C850F6816459E3364B2A54239642101B
D28271ED838464D1DEBAB434EF6D8E37
D6828E30AB66774A91A96AE93BE4AE4C
DB7AEB75528663639689F852FD366243
DBF5F56998705C37076B6CAE5D0BFB4D
E0D1CF0ABD09D7632F79A8259283288D
E20FC97E364E859A2FB58D66BC2A1D05
E7EE8EA6FB7530D1D904CDB2D9745899
EB64862F1C8464CA3D03CF0A4AC608F4
EC74A5C51106F0419184D0DD08FB05BC
EFB019B1999D478A4161A030A5D9302E
F176BA63B4D68E576B5BA345BEC2C7B7
F27A9B7C29960AAF911F2885B40536C2
F4FEBC55EA12B31AE17CFB7E614AFDA8
F5EF5142F044B94AC5010FD883C09AA7
FB34B1FB80B053E69D89AF5330CD7D4B
FCF3A6EEB9F836315954DAE03459716D

References

[1] “Breaking Down the BlackCat Ransomware Operation,” CIS, Jul. 07, 2022. Available: https://www.cisecurity.org/insights/blog/breaking-down-the-blackcat-ransomware-operation. [Accessed: Jan. 16, 2025]

[2] “Change Healthcare Consumer support page.” Available: https://www.unitedhealthgroup.com/ns/health-data-breach.html. [Accessed: Jan. 16, 2025]

[3] “Black Cat ransomware group wants $4.5m from Reddit or will leak stolen files,” ThreatDown by Malwarebytes, Jun. 20, 2023. Available: https://www.threatdown.com/blog/black-cat-ransomware-group-wants-4-5m-from-reddit-or-will-leak-stolen-files/. [Accessed: Jan. 16, 2025]

[4] A. Benge, “BlackCat (ALPHV): What we know about the MGM hack,” ReversingLabs. Available: https://www.reversinglabs.com/blog/what-we-know-about-blackcat-and-the-mgm-hack. [Accessed: Jan. 16, 2025]

[5] “Website.” Available: https://tip.neiki.dev/file/847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456