This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero.

BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates’ more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted in the group’s publishing of sensitive data to their leak site including financial and medical information stolen from the victim organizations.

Ransomware groups like BlackCat that are able to shift their tooling and tradecraft to make their operations faster and stealthier have a better chance of extending their lifespan. X-Force has observed BlackCat affiliates continue to hone their operations in order to increase the likelihood of successful impact, namely data theft and encryption. Attackers automated the data exfiltration portion of the operation using ExMatter, a custom malware capable of ‘melting’ (self-deletion). In addition, the BlackCat group recently released a new version of their ransomware, dubbed Sphynx, with upgraded capabilities meant to thwart defensive measures.

While evolving tactics to delay or prevent detection and evade analysis present renewed challenges, knowing which tactics, techniques and procedures attackers are most likely to employ can help defenders seeking to disrupt and defeat ransomware attacks. This blog provides details around the aforementioned recently deployed tactics by BlackCat and other ransomware groups and how organizations can best protect themselves by knowing what to look for in their environments.