.png)
ALPHV/BlackCat Ransomware Group Profile
Breach Summary
ALPHV/BlackCat was the most technically sophisticated ransomware-as-a-service operation of 2022-2024, responsible for the Change Healthcare breach, the MGM Resorts attack, and hundreds of other high-profile incidents. The group traced its lineage to DarkSide — the Colonial Pipeline attackers — through the BlackMatter RaaS, establishing BlackCat as the third-generation evolution of one of the most historically significant ransomware operations. The group's 2024 exit scam effectively ended the operation after a $22 million Change Healthcare ransom payment.
What Happened
ALPHV/BlackCat emerged in November 2021, recruiting affiliates from disbanded groups DarkSide and BlackMatter. The group offered affiliates up to 90% of ransom proceeds and provided sophisticated infrastructure including negotiation portals, DDoS capability, and call centers to pressure victims. Major attacks included Change Healthcare (2024), MGM Resorts (2023), Caesars Entertainment (2023), and Lehigh Valley Health Network (2023). The FBI disrupted ALPHV infrastructure in December 2023. ALPHV's March 2024 exit scam — taking Change Healthcare's $22 million ransom without paying the responsible affiliate — effectively ended the group's operation.
Attack Vector Detail
ALPHV/BlackCat was the first ransomware group to write their malware in Rust, a memory-safe programming language making the ransomware faster, more portable across operating systems, and more resistant to analysis. BlackCat supported Windows, Linux, and VMware ESXi, enabling targeting of virtual machine infrastructure that simpler tools could not reach. The group operated sophisticated negotiation infrastructure and maintained a professional public presence. The FBI disrupted ALPHV infrastructure in December 2023 and provided a decryption tool — ALPHV retaliated by removing restrictions on targeting hospitals before the Change Healthcare exit scam ended the group.
Breach Pattern Timeline
November 2021
ALPHV/BlackCat ransomware emerges. Operated by individuals previously associated with DarkSide and BlackMatter ransomware operations (which had each rebranded under law enforcement pressure). Russia-aligned RaaS.
2021-2022
ALPHV pioneers Rust-language ransomware (technically sophisticated, fast, hard to analyze). Establishes 'data leak' search portal allowing public to search stolen data — innovative extortion technique.
2022-2023
ALPHV becomes one of top 3 ransomware brands by victim count. Major victims include MGM Resorts (Sept 2023, $100M operational impact), Caesars Entertainment (Sept 2023, $15M ransom), Henry Schein, Reddit, Western Digital, and many enterprise organizations.
September 2023
ALPHV/BlackCat affiliate Scattered Spider executes high-profile MGM Resorts and Caesars Entertainment attacks via vishing-driven social engineering against IT help desks.
December 2023
U.S. FBI announces successful infiltration of ALPHV's dark web infrastructure. FBI seizes ALPHV decryption keys for ~500 victims. ALPHV briefly retakes its dark web sites in defiance.
February 21, 2024
ALPHV/BlackCat affiliate deploys ransomware against Change Healthcare (UnitedHealth subsidiary) — most consequential U.S. healthcare ransomware in history affecting ~190M Americans.
March 1, 2024
Reports surface that UnitedHealth Group paid ALPHV $22M ransom in Bitcoin. Days later, ALPHV operators reportedly EXIT-SCAM their own affiliate — taking the full $22M and disappearing without paying the affiliate's share.
March-April 2024
ALPHV brand effectively ceases. Many former ALPHV affiliates migrate to RansomHub (which emerges as successor brand). Stolen Change Healthcare data appears on RansomHub leak site for second extortion.
2024-2025
RansomHub becomes most-active ransomware brand globally for 2024-2025, absorbing ALPHV's affiliate base. ALPHV-associated individuals continue ransomware operations under multiple brands.
2024-2026
ALPHV case becomes foundational precedent for: (1) ransomware exit scam dynamics, (2) double-extortion via successor groups (RansomHub re-extorting Change Healthcare data), (3) FBI infrastructure infiltration as a disruption strategy.
Total impact: Estimated 700+ victims with hundreds of millions in ransom payments during 2021-2024 operations, Change Healthcare $22M ransom + exit scam most consequential single event, foundational precedent for ransomware exit scams and successor brand absorption (RansomHub).
Executive Lessons
ALPHV/BlackCat's use of Rust and triple extortion — encryption, data publication, and DDoS — represented a significant evolution in ransomware capability. The group's affiliate program attracted sophisticated technical operators, and their attack on Change Healthcare demonstrated the catastrophic operational impact ransomware can have on critical health infrastructure. ALPHV's exit scam also demonstrated that the RaaS ecosystem creates misaligned incentives between operators and affiliates.
Related Reading
Private Equity Implications
ALPHV's aggressive targeting of healthcare organizations — and the Change Healthcare attack specifically — makes it the highest-priority ransomware threat for PE sponsors with healthcare portfolio companies. The group's affiliate model made ALPHV-standard attack sophistication available to any affiliate willing to pay 20% of ransom proceeds. Healthcare portfolio companies must be prepared for ALPHV-level attack sophistication regardless of whether they believe they are high-value enough for direct targeting.
How Cloudskope Can Help
Frequently Asked Questions
What was ALPHV/BlackCat?
ALPHV (also known as BlackCat) was a Russia-affiliated ransomware-as-a-service operation that operated from late 2021 through early 2024, becoming one of the most prolific ransomware groups in the world. Written in the Rust programming language — a technical novelty at the time — ALPHV/BlackCat affiliates compromised hundreds of organizations including MGM Resorts, Caesars Entertainment, Change Healthcare, and Reddit.
How did ALPHV/BlackCat collapse?
ALPHV/BlackCat collapsed through a combination of law enforcement action and an internal exit scam. In December 2023, the FBI announced disruption of ALPHV's infrastructure and a decryption tool offered to victims. The group attempted to resume operations after the disruption. In March 2024, following the receipt of $22 million from UnitedHealth Group for the Change Healthcare breach, ALPHV operators conducted an exit scam — keeping the entire ransom payment rather than sharing with the affiliate who conducted the breach, and disappearing.
What did ALPHV/BlackCat establish?
ALPHV's operational pattern established the modern ransomware-as-a-service playbook: Rust-language encryptors for cross-platform reach, dedicated leak sites with countdown timers, sophisticated affiliate recruitment, and direct extortion targeting of customers and partners of victims (the 'triple extortion' pattern). The Change Healthcare exit scam demonstrated that even within criminal ecosystems, the affiliate-operator relationship is unstable.
Where did ALPHV affiliates go?
Most ALPHV affiliates migrated to RansomHub, which emerged in February 2024 and rapidly became the largest ransomware operation by victim count for the remainder of 2024. The migration illustrated how ransomware operator disruption produces brand turnover rather than meaningful reduction in attack volume.
What did the FBI achieve against ALPHV?
The December 2023 FBI disruption seized ALPHV's leak site infrastructure and offered decryption capabilities to victims. ALPHV operators reconstituted infrastructure within days, illustrating the limits of infrastructure disruption against ransomware groups with redundant hosting and rapid rebuilding capability. The longer-term impact came from the internal collapse of the operation following the Change Healthcare exit scam rather than from law enforcement action directly.