S1068: BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[1][2][3]
Analyst context for executives and security teams
BlackCat is a ransomware family written in Rust and offered through a ransomware-as-a-service model. For leaders, the important point is not the language it is written in, but the breadth of behaviors ATT&CK associates with it: discovery of users, systems, shares, storage, and domain groups; movement of tools; privilege-related activity; impairment of defenses and recovery; and data encryption or destructive impact. This makes BlackCat relevant to business continuity planning, backup resilience, privileged access governance, Windows/Linux endpoint visibility, and incident response readiness.
Executive priority
Treat this as a ransomware readiness benchmark rather than a single malware signature problem. Executives should ask whether the organization can detect and contain pre-encryption discovery and lateral tool transfer, whether recovery paths can withstand attempts to inhibit system recovery, and whether Windows and Linux coverage is consistent. The relationship to Scattered Spider in ATT&CK adds threat-intelligence relevance, but local exposure and prioritization should be based on the organization’s identity controls, backup design, critical service dependencies, and SOC telemetry maturity.
Technical view
ATT&CK does not provide an official detection section for BlackCat, so validation should be behavior-led using the mapped techniques. SOC and IR teams should test visibility for Windows command shell and WMI execution, registry modification, token/UAC-related privilege activity, Windows event log clearing, domain account/group enumeration, remote system and network share discovery, local storage and file discovery, lateral file transfer, service stopping, recovery inhibition, encryption-for-impact, internal defacement, and disk content wipe behaviors. Coverage should be verified across the supplied platforms for the malware object, Linux and Windows, while recognizing that some related techniques list additional platforms in ATT&CK.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- Windows event logs, including Security, System, Application, and log-clearing events
- WMI activity and remote management execution evidence
- Registry modification telemetry
- Identity and directory queries for domain users, groups, and permissions
Detection direction
- Prioritize detections for behavior chains rather than a malware name alone: discovery followed by lateral transfer, privilege activity, defense impairment, recovery inhibition, and encryption or wipe activity.
- Tune discovery detections to distinguish administrative inventory activity from unusual enumeration by unexpected users, hosts, timing, or scope.
- Validate alerting for WMI and command shell execution used from unusual parent processes, accounts, or remote sources.
- Confirm that attempts to clear Windows Event Logs are collected centrally so endpoint log deletion does not remove the only evidence.
- Correlate domain account, group, remote system, and share discovery with later service stopping or file modification spikes.
Mitigation priorities
- Sequence controls around ransomware resilience: least privilege, hardened administrative access, segmentation, tested backups, and recovery controls that are monitored for tampering.
- Restrict and monitor administrative execution paths such as WMI, command shell usage, registry modification, service control, and file permission changes.
- Reduce lateral movement opportunity by limiting unnecessary shares, controlling internal file transfer paths, and monitoring privileged access to shared storage.
- Protect backup and recovery mechanisms from routine domain compromise, and test restoration under an incident scenario where recovery features may have been disabled or deleted.
- Ensure endpoint, identity, and logging controls cover both Windows and Linux assets that support critical business services.
Analyst notes and limits
The supplied ATT&CK object identifies BlackCat as Rust-based ransomware offered via RaaS, first observed in November 2021, and used against multiple sectors and regions. ATT&CK also records that Scattered Spider uses this object and maps BlackCat to multiple discovery, execution, privilege, defense-impairment, lateral-movement, and impact techniques. This take intentionally focuses on defensive decision value and does not infer current activity, specific victim exposure, or guaranteed detection.
MITRE does not provide an official detection section for this object, and the object-level tactics are not specified. Technique relationships give useful behavioral context, but local validation is required to determine which behaviors are relevant, visible, and actionable in a given environment. Platform coverage should be interpreted conservatively from the supplied object platforms and related technique platforms.
BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1570 | Lateral Tool Transfer | BlackCat can replicate itself across connected servers via `psexec`.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | BlackCat can clear Windows event logs using `wevtutil.exe`.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1018 | Remote System Discovery | BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1489 | Service Stop | BlackCat has the ability to stop VM services on compromised networks.CitationMicrosoft BlackCat Jun 2022CitationSophos BlackCat Jul 2022 |
| Enterprise | T1082 | System Information Discovery | BlackCat can obtain the computer name and UUID.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | BlackCat can bypass UAC to escalate privileges.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | BlackCat can utilize `net use` commands to identify domain users.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1112 | Modify Registry | BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters`CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | BlackCat can determine if a user on a compromised host has domain admin privileges.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | BlackCat can use `wmic.exe` to delete shadow copies on compromised networks.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1680 | Local Storage Discovery | BlackCat can enumerate local drives.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1135 | Network Share Discovery | BlackCat has the ability to discover network shares on compromised networks.CitationMicrosoft BlackCat Jun 2022CitationSophos BlackCat Jul 2022 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | BlackCat can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | BlackCat can change the desktop wallpaper on compromised hosts.CitationMicrosoft BlackCat Jun 2022CitationSophos BlackCat Jul 2022 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | BlackCat has the ability to wipe VM snapshots on compromised networks.CitationMicrosoft BlackCat Jun 2022CitationSophos BlackCat Jul 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BlackCat can execute commands on a compromised network with the use of `cmd.exe`.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1083 | File and Directory Discovery | BlackCat can enumerate files for encryption.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1033 | System Owner/User Discovery | BlackCat can utilize `net use` commands to discover the user name on a compromised host.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1490 | Inhibit System Recovery | BlackCat can delete shadow copies using `vssadmin.exe delete shadows /all /quiet` and `wmic.exe Shadowcopy Delete`; it can also modify the boot loader using `bcdedit /set {default} recoveryenabled No`.CitationMicrosoft BlackCat Jun 2022 |
| Enterprise | T1134 | Access Token Manipulation | BlackCat has the ability modify access tokens.CitationMicrosoft BlackCat Jun 2022CitationSophos BlackCat Jul 2022 |
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | fd84985015c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft BlackCat Jun 2022
Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
Open source URL -
[2]
Sophos BlackCat Jul 2022
Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.
Open source URL -
[3]
ACSC BlackCat Apr 2022
Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.
Open source URL -
[4]
ALPHV
(Citation: Microsoft BlackCat Jun 2022)(Citation: ACSC BlackCat Apr 2022)
-
[5]
Noberus
(Citation: ACSC BlackCat Apr 2022)
-
[6]
mitre-attack S1068Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.