Threat Intelligence Tarot
Major Arcana · 19
Criminal (Russia-linked, RaaS)
G1006★★★★★
risk 5/5
✦ The Void ✦
BlackCat / ALPHV
ALPHV · Noberus · GOLD BLAZER
HealthcareEnergyGovernmentCritical infrastructure
Active since ~2021 · Ransomware extortion, Data extortion, Triple extortion
Built in Rust, it encrypts Windows, Linux, and ESXi hosts with equal indifference. The Void is not personal - it is systematic. It chose Change Healthcare because Change Healthcare was everywhere, and when it encrypted, a third of US pharmacies went dark.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Change Healthcare attack - disrupted US pharmacy systems nationwide (2024)
- ◆MGM Resorts (in partnership with Scattered Spider)
- ◆Written in Rust - cross-platform, Windows and Linux/ESXi variants
- ◆Largest healthcare ransom payment: $22M
Defenses
- ▸VMware ESXi and hypervisor hardening and patchingCIS VMware Benchmark
- ▸Healthcare data segmentation and minimum-necessary accessHIPAA Security Rule
- ▸Vulnerability management prioritizing internet-facing systemsCIS Control 7 ↗
- ▸Cyber insurance and tested incident response retainerNIST CSF: RC ↗
Reversed: Their Weakness
BlackCat collapsed after the $22M Change Healthcare ransom payment, when its operators allegedly exit-scammed their own affiliates - keeping the payment and shutting down the infrastructure, destroying trust in the brand permanently.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.