CISA, the FBI, and the Department of Health and Human Services (HHS) released an update to the joint advisory #StopRansomware: ALPHV Blackcat to provide new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the ALPHV Blackcat ransomware as a service (RaaS). ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector.

CISA, the FBI, and HHS urge network defenders to review the updated joint advisory to protect and detect against malicious activity.

All organizations are encouraged to share information on incidents and anomalous activity to CISA’s 24/7 Operations Center at report@cisa.gov via our Report page, and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. For more information and resources on ransomware, visit stopransomware.gov. 

December 19, 2023
Today, CISA and the FBI released a joint Cybersecurity Advisory (CSA), “#StopRansomware: ALPHV Blackcat,” to disseminate known ALPHV Blackcat affiliates’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as Dec. 6, 2023.

According to the advisory, in February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations. According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments. The advisory also provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise, released in April 2022.

CISA and the FBI encourage organizations to review the joint CSA for recommended mitigations to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.