LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile ALPHV

ALPHV/BlackCat: From Rust-Powered Innovation to the Ransomware Exit Scam of the Decade

ALPHV (BlackCat) was the most technically sophisticated ransomware-as-a-service operation of its era. This profile covers its innovations, the Change Healthcare attack, the FBI takedown, the $22 million exit scam, and the successor ecosystem it left behind.

By Ransomware Tracker ·
ALPHVBlackCatransomwareexit scamChange HealthcareUnitedHealthRansomHubEmbargoFBICISAtriple extortion2026
Threat Level
8/10
Sectors Targeted
healthcare
financial-services
critical-infrastructure
legal
technology
Ransomware Family
ALPHV

Overview

ALPHV, known publicly as BlackCat, operated as a ransomware-as-a-service (RaaS) platform from November 2021 until its effective dissolution in early 2024. In that window — roughly 27 months — it became the second most prolific ransomware operation globally by victim count, claimed hundreds of high-profile victims across healthcare, energy, financial services, and critical infrastructure, and then concluded with one of the most audacious exit scams in ransomware history: pocketing a reported $22 million from the Change Healthcare attack and disappearing, leaving affiliates unpaid.

The group’s technical legacy persists. Many of its estimated 90+ affiliates migrated to RansomHub — which some analysts assess as partly staffed by former ALPHV insiders — and the Embargo ransomware group has been identified as a probable successor based on infrastructure and code overlaps. The TTPs ALPHV pioneered, including Rust-based cross-platform encryptors and regulatory extortion, have been adopted across the ransomware ecosystem.

Technical Innovations

Rust-Based Cross-Platform Encryptor

When ALPHV debuted in 2021, its most distinguishing technical feature was a ransomware binary written in Rust — then an unusual choice in a landscape dominated by C/C++ and .NET. The advantages were significant:

  • Cross-platform compilation: The same codebase produced Windows, Linux, and ESXi encryptors, allowing affiliates to attack heterogeneous environments without maintaining separate tooling
  • Memory safety: Rust’s memory model produced a more reliable encryptor with fewer runtime crashes during deployment — a practical affiliate-facing feature
  • Anti-analysis: Rust binaries are harder to reverse-engineer than C# or VB .NET equivalents, reducing automated sandbox detection rates

The VMware ESXi encryptor was particularly impactful. At a time when most enterprises had shifted significant workloads to virtualisation, a single ESXi host could hold dozens of VMs. ALPHV affiliates targeted hypervisors directly, encrypting the underlying VMDK files rather than attacking individual VMs — achieving mass encryption of an organisation’s virtual estate in hours.

Triple Extortion Model

ALPHV introduced what became known as triple extortion:

  1. Encryption: traditional ransomware data lock
  2. Data exfiltration and threatened publication: data published to the group’s “ALPHV Collections” leak site if ransom not paid
  3. Regulatory notification: ALPHV threatened to file complaints with regulators (SEC, state data protection authorities) about the victim’s breach if the ransom was not paid — weaponising regulatory obligation as leverage

The regulatory extortion tactic was novel. In late 2023, ALPHV filed an SEC complaint against MeridianLink alleging the company had failed to disclose a breach within the required four days, using the company’s own regulatory exposure as a pressure tactic.

Affiliate Portal and Service Model

The ALPHV RaaS platform offered affiliates a sophisticated negotiation interface, a data leak site, a ransomware builder for custom configurations, and a detailed operational playbook. The affiliate split was typically 80/20 — affiliates retaining 80% of ransom payments, ALPHV taking 20% — with higher splits available for affiliates bringing consistently large ransoms.

Major Incidents

MGM Resorts and Caesars Entertainment (September 2023)

Two of the largest ransomware incidents of 2023 involved ALPHV affiliates. Scattered Spider, a social engineering-specialist affiliate group, compromised MGM Resorts International through a vishing attack against IT helpdesk staff. The attack caused an estimated $100 million in damages and disrupted MGM casino and hotel operations across Las Vegas for weeks. Caesars Entertainment paid a reported $15 million ransom to avoid operational disruption.

Change Healthcare (February 2024)

The Change Healthcare attack became the most consequential ransomware incident in US healthcare history. Change Healthcare, a subsidiary of UnitedHealth Group, operates the largest healthcare payment processing network in the United States — at the time of the attack, processing roughly 15 billion transactions annually and touching approximately 40% of US healthcare claims.

ALPHV affiliate NOTCHY (later identified as operating under the group Scattered Spider overlap) gained access through compromised Citrix credentials on an account without multi-factor authentication. The attackers spent approximately nine days in the network before deploying the encryptor.

The disruption cascaded across the US healthcare system: pharmacies could not process insurance claims, hospitals couldn’t verify patient coverage, and healthcare providers faced a cash flow crisis. Immediate financial impact to UnitedHealth Group was estimated at over $870 million in the first quarter alone.

UnitedHealth Group paid a reported $22 million ransom — reportedly in Bitcoin — to ALPHV to obtain a decryption key.

The FBI Takedown and Exit Scam

In December 2023, the US Department of Justice and FBI, in coordination with European partners, disrupted ALPHV’s infrastructure. Law enforcement seized the group’s leak site and negotiation portals, publishing a message claiming to have taken control of the servers and obtained decryption keys for victims.

ALPHV briefly regained control of its leak site, posting a counter-notification that their servers had not been seized and that affiliates should continue operations. Within days, the group restored operational capability.

The disruption had limited long-term impact. ALPHV continued operating through the Change Healthcare attack in February 2024. Then, following the $22 million payment from UnitedHealth Group, the group shut down its RaaS infrastructure and disappeared — without distributing the ransom payment to the NOTCHY affiliate who had conducted the attack.

This exit scam — keeping the $22 million while abandoning affiliates — was immediately visible on the cybercriminal forums where ALPHV operated. NOTCHY published a statement on RAMP forum claiming ALPHV had scammed them of their share. The reputational damage ended ALPHV’s ability to attract affiliates, accelerating its dissolution.

Successor Ecosystem

RansomHub

RansomHub launched in February 2024 and rapidly became the most active ransomware operation by victim count through 2024-2025. Multiple analyses — from Symantec, GuidePoint Security, and others — identified RansomHub affiliates that had previously operated under ALPHV. The group uses an aggressive 90/10 affiliate split (affiliates keep 90%), deliberately contrasting with ALPHV’s broken promises.

CISA issued a joint advisory with the FBI, HHS, and MS-ISAC in August 2024 warning that RansomHub had compromised over 210 victims across critical infrastructure sectors. By the end of 2025, RansomHub led ransomware victim statistics for the year.

Embargo

Recorded Future and TRM Labs have assessed Embargo as a possible ALPHV successor or rebranding, based on cryptocurrency wallet infrastructure overlaps and similar operational patterns. The group emerged in mid-2024 and has accumulated an estimated $34 million in transactions. It targets mid-to-large enterprises and uses the same triple-extortion model ALPHV pioneered.

Scattered Spider

Several Scattered Spider members who had operated as ALPHV affiliates faced law enforcement action following the MGM/Caesars incidents and the Change Healthcare disruption. Arrests occurred in 2024 across the US and UK. The group’s remaining members migrated to operating under other RaaS platforms.

Impact and Legacy

ALPHV’s operational period resulted in over $300 million in documented ransom payments across its known incidents. Its non-documented victim payments are assessed to be substantially higher.

The Change Healthcare attack prompted direct regulatory response: the HHS proposed mandatory cybersecurity requirements for healthcare entities covered under HIPAA, specifically requiring MFA for all internet-facing systems and network segmentation — two controls that were absent or inadequate in Change Healthcare’s environment at the time of the attack.

The exit scam permanently damaged trust between RaaS operators and affiliates, contributing to the fragmentation of the ransomware ecosystem into smaller, less centralised groups and the migration of experienced affiliates to platforms offering credible affiliate payment guarantees.

From a defensive perspective, ALPHV’s most significant legacy is the Rust-based cross-platform encryptor. The ransomware ecosystem has largely adopted cross-platform support as a standard, and detecting Rust binaries requires signature updates that many organisations have not deployed to their EDR policies.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting