The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

ALPHV Targeting ONG, Critical Infrastructure Entities

Feb 23, 2024 2:25:34 PM / by The Hivemind

ALPHV-1Verticals Targeted: Critical Infrastructure, Energy, Oil & Gas

Executive Summary

ALPHV recently claimed responsibility for a cybersecurity incident targeting Canada's Trans-Northern Pipelines.

Key Takeaways

  • ALPHV recently claimed responsibility for a cybersecurity incident targeting Canada's Trans-Northern Pipelines. 
  • ALPHV threat actors reportedly stole around 190 GB of data and threatened to leak the data if Trans-Northern Pipelines did not pay the ransom. 
  • ALPHV/BlackCat is ransomware as a service (RaaS) and was likely the first ransomware family written in Rust.
  • ALPHV was observed targeting multiple critical infrastructure entities in late 2023. 
  • In PolySwarm's 2024 Malware to Watch, our analysts predicted an increase in the number of critical infrastructure entities targeted by ALPHV ransomware. 

What is ALPHV?

ALPHV recently claimed responsibility for a cybersecurity incident targeting Canada's Trans-Northern Pipelines. Various industry news sources, including The Register, recently reported on this activity. 

ALPHV/BlackCat ransomware as a service (RaaS), thought to be the first ransomware family written in Rust, was first observed in late 2021. It includes a highly customizable feature set allowing for attacks on a wide range of targets. The malware has evolved over time. Being RaaS, ALPHV is used by various threat actors to compromise both targets of opportunity and specific entities.

The threat actors behind ALPHV are a financially motivated threat actor group known for ransomware operations. Industry researchers have speculated the group’s members are likely based in the UK or Europe. The group is known for multiple ransomware variants with similar codes, including ALPHV, BlackCat, Sphynx, and Noberus.

ALPHV is known to target multiple verticals, including construction, engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunications, auto components, healthcare, pharmaceuticals, gambling, and critical infrastructure.

ALPHV is proficient in social engineering tactics and human-operated ransomware attacks. The group has been effective in marketing to its affiliates, and affiliates receive a generous share of ransom payments.

Threat actors behind ALPHV are known to use double and triple extortion tactics, charging a ransom to decrypt files and threatening to disclose files or engage in DDoS attacks if the ransom is not paid. They are also known to be ruthless in their pursuit of ransom payments. In November 2023, the group compromised the software company MeridianLink and followed up on the attack by filing a U.S. Securities and Exchange Commission complaint against the victim for not complying with the SEC’s four-day cyberattack disclosure rule.

The Trans-Northern Pipelines Incident

Trans-Northern Pipelines is an oil and gas (ONG) entity that operates a large expanse of pipelines in Ontario and Quebec, as well as Alberta. The pipelines transport refined petroleum products, including gasoline, diesel fuel, aviation fuel, and heating fuel. Trans-Northern Pipelines confirmed they experienced a cybersecurity incident in November 2023. ALPHV threat actors reportedly stole around 190 GB of data and threatened to leak the data if Trans-Northern Pipelines did not pay the ransom. As of writing, some of the files have already been leaked.

The attack on Trans-Northern Pipelines has been compared to the 2021 ransomware attack on US based Colonial Pipeline. The Colonial Pipeline attack resulted in the pipeline being temporarily shut off, which resulted in fuel shortages on the US East Coast. DarkSide ransomware group was responsible for the Colonial Pipeline attack. It is interesting to note that ALPHV is linked to BlackMatter, which industry researchers previously assessed to be the rebrand of DarkSide. While ALPHV, sometimes referred to as BlackCat, is not a rebrand of BlackMatter, the groups are thought to be closely linked and may have common affiliates. 

Additional Attacks on Critical Infrastructure Entities 

ALPHV has targeted multiple critical infrastructure entities in recent months. They claimed responsibility for a cyber incident affecting Lower Valley Energy, a US-based utility cooperative, in December 2023. ALPHV claimed responsibility for an attack on SerCide, a Spanish electricity provider, which also occurred in late 2023. ALPHV also recently ransomed Rush Energy Services, a Canadian company that specializes in crude oil custom treating and water management facilities. 


Cyber threats pose a significant risk to the energy vertical, which encompasses various sectors such as oil and gas, electricity, renewable energy, utilities, and related critical infrastructure entities. In 2023, industry researchers reported on the rise of ransomware attacks targeting energy sector entities, including those in the nuclear and oil & gas subsectors.

Ransomware attacks on critical infrastructure entities are particularly dangerous, as they can potentially sabotage operations by locking down critical systems. These attacks can disrupt the functioning of energy grids, leading to power outages, service disruptions, and even physical damage.

Another threat ransomware poses to the energy sector is the theft of sensitive data and intellectual property. Energy companies often possess valuable information related to exploration, production, and distribution of resources. Cybercriminals may target these organizations to gain access to proprietary data, including geological surveys, engineering designs, and trade secrets. A threat actor selling or leaking this information can have far-reaching consequences, compromising a company's competitive edge, disrupting operations, and resulting in financial losses.

PolySwarm Tracks ALPHV Activity

PolySwarm is actively tracking ALPHV ransomware. PolySwarm first noted ALPHV activity in our 2021 Year in Review report. We predicted ALPHV (BlackCat) ransomware would become more prevalent due to its sophistication.

ALPHV was included in our 2023 Malware to Watch, predicting that the group would continue to expand its operations in 2023 due to its versatility and profitable affiliate model. This prediction proved fruitful.

ALPHV was featured in our 2023 Recap - Malware Hall of Fame due to its growing popularity and tendency to be used to compromise high-value targets, including MGM Grand, in 2023.

We again named ALPHV as a force to be reckoned with in our 2023 Recap - Cyber Threats to the Energy Vertical, due to the group’s attacks on multiple energy vertical entities, including Mammoth Energy, Creos Luxembourg, and Encino Energy in 2023.

In PolySwarm's 2024 Malware to Watch, we noted that while law enforcement apparently seized ALPHV’s darknet site in December 2023, the group reportedly unseized it shortly thereafter. At that time, ALPHV removed all rules from its affiliate program, no longer forbidding affiliates to target critical infrastructure entities. Based on those developments, our analysts predicted an increase in the number of critical infrastructure entities targeted by ALPHV ransomware. 


A selection of our most recent ALPHV samples are provided below. 


















You can use the following CLI command to search for all ALPHV samples in our portal:

$ polyswarm link list -f ALPHV

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Threat Bulletin, Critical Infrastructure, Ransomware, BlackCat, ALPHV, Energy, ONG, Oil & Gas

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts