The BlackCat ransomware (also tracked as ALPHV by some research groups) emerged in public reporting in late November (MalwareHunterTeam first public reference, November 21, The Record on the BlackCat emergence). The implementation is in Rust — the first major ransomware operator cluster to use a memory-safe systems language for the principal payload — and the codebase reflects the operational maturity of an operator cluster with substantial development resources. The cluster is, on multiple research groups' analysis, likely a rebrand or successor to one of the earlier major operator clusters; the specific lineage continues to be debated.
The Rust implementation choice is the part of the case that has me reorganising the EmilyAI detection content for 2022. The signature-based detection content that has been adequate against the C++-implemented payloads of the previous-generation operators (Conti, Sodinokibi, DarkSide) is structurally less effective against Rust-implemented payloads — the compiled code structure is different, the standard-library code patterns differ, and the existing signature corpus does not transfer. The detection-engineering work to address Rust-implemented payloads is more behaviour-based than signature-based, and the customer-organisation detection content needs to evolve correspondingly.
The wider strategic point is that the operator-side capability continues to develop. The 2021 ransomware-operator landscape, on year-end accounting, includes:
The operationally mature clusters that have been continuously active through 2020 and into 2021 — Conti, Sodinokibi/REvil (with substantial 2021 disruption from law-enforcement and operator-side infrastructure issues), DarkSide-and-BlackMatter, Lockbit, and others.
The newer clusters — BlackCat/ALPHV is the most operationally interesting late-2021 entrant, but several others have surfaced through Q4 with comparable sophistication.
The continued ransomware-as-a-service affiliate model that produces a structural dispersion of operational tradecraft across the operator ecosystem — different affiliates of different cluster operators using comparable techniques and tooling, which makes attribution and ecosystem-mapping operationally challenging.
For the customer-portfolio briefings, the BlackCat emergence is the operational example for the continued-evolution conversation that will define the 2022 strategic planning. The defensive disciplines that I have been writing about for years — segmentation, identity-and-privileged-access controls, data-egress visibility, incident-response readiness — remain the substantive answer. The detection-engineering work continues to need updating against the technique evolution. The team's 2022 product-roadmap conversations are reflecting this.
I will write more as the BlackCat-related case data accumulates through Q1 2022.