ALPHV, marketed under the BlackCat brand, emerged in late 2021 as the first major ransomware family written in Rust — a deliberate engineering choice that frustrated reverse-engineering, enabled cross-platform binaries (Windows, Linux, ESXi), and gave the encryptor an unusually high reliability rating among RaaS offerings.
The operation is widely assessed to be a rebrand of DarkSide / BlackMatter, sharing affiliate pools and infrastructure with both. Like LockBit, ALPHV ran a RaaS model, but its leak site introduced an innovation: it was searchable and SEO-optimized, allowing affiliates and journalists to pivot from a victim to associated business partners and individuals — a victim-shaming acceleration the industry had not previously productized.
Change Healthcare exit scam
In February 2024, ALPHV affiliates compromised Change Healthcare (see incident page) and paralyzed U.S. prescription claims processing for weeks. A ransom payment of approximately $22 million in bitcoin was traced to an ALPHV-controlled wallet on 3 March 2024.
Within days, ALPHV's core operators exit-scammed their own affiliate, taking the ransom payment without paying out the affiliate's share. The affiliate responded by leaking the stolen Change Healthcare data and launching a second extortion attempt under the RansomHub brand. The ALPHV brand effectively dissolved.
Why it matters
ALPHV's Rust implementation, intermittent encryption (encrypting only chunks of files to accelerate the attack), and searchable leak site raised the technical bar for the entire RaaS market. The 2024 exit scam also exposed the fragility of trust within criminal ecosystems — when a core operator burns its own affiliates, the franchise model breaks down. Many ALPHV affiliates moved to RansomHub (which inherited the searchable-leak-site model), Akira, and the rebooted BlackBasta.