Get A Quote
Written by Cyber Threat Intelligence Unit on 21 August 2023

Unveiling ALPHV/BlackCat 2.0 Ransomware "Sphynx": A Comprehensive Threat Landscape Analysis

Estimate reading time: 5 to 6 minutes.


The world of ransomware is constantly in flux as cybercriminals adapt their techniques to overcome defenses and achieve maximum impact. The notorious ransomware collective ALPHV/BlackCat, formerly recognized as NOBERUS, has recently introduced an upgraded version of their Ransomware as a Service (RaaS), "Sphynx".

On February 21st, 2023, VX-underground reported a significant development: the ALPHV ransomware group had rolled out an update for their affiliates, unveiling a new ransomware variant named Sphynx. This new variant brings advancements in encryption speed and stealthiness, as highlighted in an April report by user X on Twitter.

Notably, Microsoft Threat Intelligence has identified the deployment of an upgraded variant of the BlackCat ransomware in ongoing operations. This new version integrates Impacket, an open-source communication framework tool employed by malicious actors to bolster lateral movement within their targeted systems.

The operators of BlackCat conveyed their satisfaction with the progress, stating, "We are pleased to inform you that testing of basic features ALPHV/BlackCat 2.0: Sphynx is completed," in a message addressed to their affiliates.

  1. Evolution of ALPHV/BlackCat:

ALPHV/BlackCat, a key player within the ransomware sphere, has undergone a significant metamorphosis. The group has completely overhauled its RaaS offering in response to the evolving cybersecurity landscape. This strategic adaptation aims to counter sophisticated defenses and rival threat actors. The Sphynx ransomware was discovered by cybersecurity experts at Vx underground, who stumbled upon a communication from BlackCat to its affiliates unveiling this noteworthy product update.

  1. Enhanced Features and Empowered Capabilities:

The Sphynx ransomware boasts enhanced features designed to heighten its efficacy while evading detection. Among these enhancements is integrating open-source tools such as Impacket and RemCom. These tools are pivotal in executing remote operations and lateral movements within the targeted victim's infrastructure. The enhancements serve dual purposes: firstly, prolonging the duration during which the ransomware remains hidden from antimalware and endpoint detection and response (EDR) systems, and secondly, optimizing the encryption process for swift and efficient data lockdown.

  1. Affiliate Engagement and Operational Campaigns:

Initially limited to established affiliates, the Sphynx ransomware gradually extends its availability to newer participants. Microsoft's Security Intelligence team observed the deployment of this new version during a campaign in July 2023 involving an affiliate identified as "storm-0875." This observation underscores this ransomware variant's growing influence and increasing prevalence within the threat landscape.

  1. Innovative Infection Methodologies:

ALPHV/BlackCat affiliates have demonstrated adaptability by adopting innovative infection strategies to propagate ransomware. Employing malvertising as a vector, they promote tampered versions of commonly used IT tools, enticing unsuspecting victims and perpetuating the infection cycle. This tactic underscores the group's sophistication and emphasizes the necessity for heightened caution when interacting with seemingly legitimate software.

  1. Implications and Best Practices:

Given ALPHV/BlackCat's history as a formidable player in the ransomware arena, the emergence of the Sphynx ransomware version amplifies the risk for organizations. To mitigate these threats effectively, the following recommendations are recommended:

    • Strategic Backup Planning: Develop a comprehensive backup strategy to ensure swift data restoration in the event of an attack.
    • Advanced EDR and XDR Implementations: Employ state-of-the-art endpoint detection and response (EDR) and extended detection and response (XDR) solutions aligned with the latest cybersecurity standards.
    • Breach Preparedness and Drills: Conduct breach preparedness exercises and simulated scenarios to equip teams with the skills to respond efficiently to potential ransomware incidents.
    • Source Verification: Rigorously authenticate the sources of software before installation to prevent inadvertent incorporation of compromised tools.
    • Stringent User Privilege Management: Enforce stringent user privilege protocols to minimize the potential avenues of attack.



The emergence of the Sphynx ransomware by ALPHV/BlackCat underscores the dynamic and evolving landscape of ransomware threats. With its advanced features, innovative infection strategies, and increasing affiliate engagement, this new iteration poses a significant risk to organizations worldwide.
To ensure robust defense against ransomware attacks and safeguard critical data and operational continuity, businesses must implement recommended security measures.

Stay ahead of emerging cyber threats by staying informed and vigilant.

Explore our Cyber Threat Intelligence page for valuable insights into the latest threat landscapes and practical strategies to protect your digital assets: Visit our Cyber Threat Intelligence page



Request a quote

Related Posts