.png)
ALPHV/BlackCat Ransomware Group Profile
Breach Summary
ALPHV/BlackCat was the most technically sophisticated ransomware-as-a-service operation of 2022-2024, responsible for the Change Healthcare breach, the MGM Resorts attack, and hundreds of other high-profile incidents. The group traced its lineage to DarkSide — the Colonial Pipeline attackers — through the BlackMatter RaaS, establishing BlackCat as the third-generation evolution of one of the most historically significant ransomware operations. The group's 2024 exit scam effectively ended the operation after a $22 million Change Healthcare ransom payment.
What Happened
ALPHV/BlackCat emerged in November 2021, recruiting affiliates from disbanded groups DarkSide and BlackMatter. The group offered affiliates up to 90% of ransom proceeds and provided sophisticated infrastructure including negotiation portals, DDoS capability, and call centers to pressure victims. Major attacks included Change Healthcare (2024), MGM Resorts (2023), Caesars Entertainment (2023), and Lehigh Valley Health Network (2023). The FBI disrupted ALPHV infrastructure in December 2023. ALPHV's March 2024 exit scam — taking Change Healthcare's $22 million ransom without paying the responsible affiliate — effectively ended the group's operation.
Attack Vector Detail
ALPHV/BlackCat was the first ransomware group to write their malware in Rust, a memory-safe programming language making the ransomware faster, more portable across operating systems, and more resistant to analysis. BlackCat supported Windows, Linux, and VMware ESXi, enabling targeting of virtual machine infrastructure that simpler tools could not reach. The group operated sophisticated negotiation infrastructure and maintained a professional public presence. The FBI disrupted ALPHV infrastructure in December 2023 and provided a decryption tool — ALPHV retaliated by removing restrictions on targeting hospitals before the Change Healthcare exit scam ended the group.
Breach Pattern Timeline
November 2021
ALPHV/BlackCat ransomware emerges. Operated by individuals previously associated with DarkSide and BlackMatter ransomware operations (which had each rebranded under law enforcement pressure). Russia-aligned RaaS.
2021-2022
ALPHV pioneers Rust-language ransomware (technically sophisticated, fast, hard to analyze). Establishes 'data leak' search portal allowing public to search stolen data — innovative extortion technique.
2022-2023
ALPHV becomes one of top 3 ransomware brands by victim count. Major victims include MGM Resorts (Sept 2023, $100M operational impact), Caesars Entertainment (Sept 2023, $15M ransom), Henry Schein, Reddit, Western Digital, and many enterprise organizations.
September 2023
ALPHV/BlackCat affiliate Scattered Spider executes high-profile MGM Resorts and Caesars Entertainment attacks via vishing-driven social engineering against IT help desks.
December 2023
U.S. FBI announces successful infiltration of ALPHV's dark web infrastructure. FBI seizes ALPHV decryption keys for ~500 victims. ALPHV briefly retakes its dark web sites in defiance.
February 21, 2024
ALPHV/BlackCat affiliate deploys ransomware against Change Healthcare (UnitedHealth subsidiary) — most consequential U.S. healthcare ransomware in history affecting ~190M Americans.
March 1, 2024
Reports surface that UnitedHealth Group paid ALPHV $22M ransom in Bitcoin. Days later, ALPHV operators reportedly EXIT-SCAM their own affiliate — taking the full $22M and disappearing without paying the affiliate's share.
March-April 2024
ALPHV brand effectively ceases. Many former ALPHV affiliates migrate to RansomHub (which emerges as successor brand). Stolen Change Healthcare data appears on RansomHub leak site for second extortion.
2024-2025
RansomHub becomes most-active ransomware brand globally for 2024-2025, absorbing ALPHV's affiliate base. ALPHV-associated individuals continue ransomware operations under multiple brands.
2024-2026
ALPHV case becomes foundational precedent for: (1) ransomware exit scam dynamics, (2) double-extortion via successor groups (RansomHub re-extorting Change Healthcare data), (3) FBI infrastructure infiltration as a disruption strategy.
Total impact: Estimated 700+ victims with hundreds of millions in ransom payments during 2021-2024 operations, Change Healthcare $22M ransom + exit scam most consequential single event, foundational precedent for ransomware exit scams and successor brand absorption (RansomHub).
Executive Lessons
ALPHV/BlackCat's use of Rust and triple extortion — encryption, data publication, and DDoS — represented a significant evolution in ransomware capability. The group's affiliate program attracted sophisticated technical operators, and their attack on Change Healthcare demonstrated the catastrophic operational impact ransomware can have on critical health infrastructure. ALPHV's exit scam also demonstrated that the RaaS ecosystem creates misaligned incentives between operators and affiliates.
Related Reading
Private Equity Implications
ALPHV's aggressive targeting of healthcare organizations — and the Change Healthcare attack specifically — makes it the highest-priority ransomware threat for PE sponsors with healthcare portfolio companies. The group's affiliate model made ALPHV-standard attack sophistication available to any affiliate willing to pay 20% of ransom proceeds. Healthcare portfolio companies must be prepared for ALPHV-level attack sophistication regardless of whether they believe they are high-value enough for direct targeting.