Picus Security Details ALPHV/BlackCat Ransomware Tactics After Change Healthcare Attack

Cybersecurity firm Picus Security has published a detailed analysis of the ALPHV ransomware group, also known as BlackCat. The group gained significant attention after its attack on Change Healthcare in February 2024, which severely disrupted the U.S. healthcare sector.

Following the attack, Change Healthcare reportedly paid a $22 million ransom to ALPHV. The breach compromised the personal information of over 100 million individuals, marking the largest healthcare data breach in U.S. history. The U.S. Department of State has offered rewards for information leading to the identification or capture of ALPHV/BlackCat leaders.

Picus Security's analysis focuses on a specific malware sample, "Asss1exe.bin," which was still under active analysis as of late January 2025. This indicates the group's ongoing operations and the continued threat they pose. The report delves into the specific tactics, techniques, and procedures (TTPs) employed by the threat actors.

BlackCat operates on a Ransomware-as-a-Service (RaaS) model, providing its ransomware to other cybercriminals in exchange for a share of the profits. The group attracts affiliates by offering a substantial profit share, reportedly 80-90%, which incentivizes reinvestment and operational scaling. This business model is crucial to the group's expansion and impact.

The ALPHV/BlackCat group has been associated with several other high-profile cyber incidents. These include a data breach at Reddit in February 2023 and attacks against MGM Resorts and Caesars Entertainment in September 2023. These incidents highlight the group's evolving sophistication and widespread impact on major organizations.