BlackCat, also tracked as ALPHV or Noberus, is a ransomware-as-a-service (RaaS) operation first observed in November 2021. It is widely regarded as one of the first major ransomware families written in Rust, a memory-safe systems programming language that complicates reverse engineering and enables cross-platform compilation for Windows, Linux, and VMware ESXi environments.
Under the RaaS model, the core developers maintain the malware and a leak site while affiliates conduct intrusions, deploy the encryptor, and split ransom payments — reportedly keeping 80–90% of proceeds. The group practices double extortion (encrypting files and threatening to publish stolen data) and pioneered triple extortion tactics, including a searchable public leak site indexed for victims' customers and employees.
The U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on BlackCat in April 2022, and an updated advisory in February 2024. Researchers and law enforcement have assessed that many BlackCat affiliates previously operated under the DarkSide and BlackMatter brands, linking the group to the 2021 Colonial Pipeline incident lineage.
In December 2023, the U.S. Department of Justice announced a disruption operation, seizing BlackCat infrastructure and releasing a decryption tool that the FBI said helped over 500 victims. The group briefly resurfaced, and in March 2024 it was implicated in the attack on Change Healthcare, a subsidiary of UnitedHealth Group, which disrupted U.S. pharmacy and insurance claims processing for weeks. Shortly after receiving a reported $22 million payment, the operators appeared to conduct an exit scam, shutting down the leak site and abandoning affiliates.
For policy researchers, BlackCat illustrates the resilience of the RaaS ecosystem, the limits of takedown operations, and the systemic risk ransomware poses to healthcare, energy, and government sectors.
Example
In March 2024, BlackCat affiliates breached Change Healthcare, paralyzing U.S. pharmacy claims processing and prompting congressional hearings on healthcare cybersecurity.
Frequently asked questions
Yes. BlackCat, ALPHV, and Noberus refer to the same ransomware operation; security vendors and law enforcement use the names interchangeably.
Keep learning