BlackCat, also marketed as ALPHV (and known to some affiliates simply as "Noberus"), had one of the most consequential, technically interesting, and ultimately treacherous careers of any modern ransomware operation. In just over two years it became one of the most prolific operators in the world, picked some of the largest ransom fights of the era, broke new ground with its tooling, and ended in an apparent exit scam that stunned even hardened watchers of the underground.
A Rust pioneer
BlackCat surfaced in late November 2021. The technical detail that caught attention immediately was its language: it was the first major ransomware family written in Rust. That was not a gimmick. Rust offered cross-platform builds, strong performance, mature TLS support, and far fewer of the artefacts that signature-based detection vendors had been trained to recognise on C/C++ ransomware. Variants for Windows, Linux, and ESXi shipped from the start.
Researchers quickly noted overlaps in TTPs and infrastructure with the BlackMatter and DarkSide operations, which had themselves been the same team across two rebrands. BlackCat was widely assessed as their third incarnation.
The affiliate panel
Where LockBit emphasised speed and reliability, BlackCat emphasised flexibility. Its affiliate panel was unusually configurable, with per-build options for encryption mode (full, fast, dotpattern, smart, auto), file-extension filtering, scheduled execution, and even a setting to prevent encryption on machines whose system language matched a CIS country. Affiliates could log in and watch live counters of which victims had visited the negotiation site, what stage of payment they were at, and how much data had been viewed on the leak site, gamifying the extortion in a way other operations had not.
The split was generous: affiliates kept up to 90% of the ransom on smaller payments, scaling down on larger ones. The operators bet, correctly, for a while, that the most productive intruders would migrate to whichever brand paid them best.
Headline attacks
BlackCat’s victim list quickly became a who’s-who of large enterprises:
- Reddit (February 2023), with stolen internal documents and a $4.5 million demand. Reddit refused, the data was eventually leaked.
- Western Digital (March 2023), which suffered an extended cloud-services outage.
- MGM Resorts (September 2023), in a high-profile collaboration with the English-speaking affiliate group Scattered Spider; the attack disrupted Las Vegas hotel and casino operations for days and cost MGM an estimated $100 million.
- Caesars Entertainment (also September 2023), which reportedly paid roughly half of a $30 million demand.
- MeridianLink (November 2023), in the operation that produced one of the more astonishing moments in ransomware history: ALPHV filed a formal complaint with the SEC, accusing MeridianLink of failing to disclose the breach within the required four-day window of the new SEC cyber disclosure rule. It was a stunt aimed at weaponising regulators against the victim, and although the SEC took no action, it generated enormous press coverage.
- Change Healthcare (February 2024), the breach that would directly precede the brand’s collapse.
The Change Healthcare attack and exit scam
In February 2024 a BlackCat affiliate compromised Change Healthcare, a US healthcare payments processor handling roughly a third of US medical claims, by abusing a Citrix portal that lacked multi-factor authentication. The attack disrupted prescription processing, claims, and reimbursements across the US for weeks. UnitedHealth Group, Change Healthcare’s parent, ultimately paid an estimated $22 million ransom.
Days later, the affiliate behind the attack, known as "Notchy", went public on a Russian-language forum. They claimed that BlackCat’s operators had received the full $22 million, taken it in a single transaction, posted a fake "FBI seizure" notice on the leak site, and disappeared. ALPHV, the affiliate alleged, had exit-scammed its own people.
The operators then defaced their own panel with a "This site has been seized" image, apparently lifted from earlier law-enforcement banners, and put the supposed source code up for sale at $5 million. The FBI publicly distanced itself from the seizure imagery; the consensus reading is that ALPHV staged a takedown to walk away clean. The stolen Change Healthcare data continued to circulate, eventually appearing on the leak site of an unrelated operation, RansomHub, where the affiliate had migrated to extort UnitedHealth a second time.
The aftermath
BlackCat’s collapse was, in operational terms, almost as significant as LockBit’s. It removed one of the two top RaaS programs from the market in a single quarter and threw a large pool of skilled affiliates into circulation. RansomHub, in particular, absorbed many of them and grew rapidly into a top-tier operator in its own right.
Earlier disruptions had already weakened the brand. In December 2023 the FBI announced a partial takedown of ALPHV’s infrastructure and the release of a decryption tool; the operators moved infrastructure within days but lost some affiliates and significant credibility in the process. The Change Healthcare exit scam finished the job.
What BlackCat changed
Three things stand out in BlackCat’s legacy. First, the demonstration that Rust-based ransomware was not just viable but advantageous, a finding now reflected in many newer families. Second, the SEC complaint episode, which previewed how operators would weaponise legitimate regulatory regimes against their victims. Third, the proof, for affiliates, and for everyone watching, that even the most professional-looking RaaS will burn its own crew when the cash flow on a single attack outweighs the value of the brand.
BlackCat is gone. The lessons it leaves behind are not.