ALPHV/BlackCat Ransomware: When Your Backups Become the Target, Not the Safety Net

ALPHV/BlackCat is not just another ransomware strain, it is a highly industrialized operation engineered to take away your options at the worst possible moment. By going after identity systems and backups alongside your production workloads, it turns what used to be a recoverable incident into a full-blown business crisis.​

For CISOs, SecOps, IT, and risk leaders, the uncomfortable truth is this: if ALPHV/BlackCat is in your environment, it is already thinking about how to defeat your recovery plan. If your Domain Admin credentials are compromised today, can you prove your backups will still be there tomorrow? 

The good news is that a data-centric, Zero Trust approach to cyber recovery can flip that script, allowing your teams to detect, contain, and recover without paying ransom.​

ALPHV/BlackCat runs as a ransomware-as-a-service (RaaS) franchise, written in Rust and tailored for cross-platform impact across Windows, Linux, and VMware ESXi. Affiliates get a generous share of ransom revenue, which attracts experienced operators who understand how to blend advanced tradecraft with business pressure.​

Their model is built around triple extortion: exfiltrate sensitive data, encrypt critical systems and backups, and then layer in public leak threats or DDoS to force payment. Along the way, they lean heavily on social engineering, exposed service exploits, and identity abuse to move laterally, disable defenses, and systematically sabotage recovery mechanisms such as shadow copies and backup servers.​

The ALPHV/BlackCat “D-Day”

Imagine the IT Ops team’s morning: the first ticket reports a server down. Then another. By the time they log into the backup console to start a restore, they find the "Delete All" command was executed 30 minutes ago.

The attacker didn't just stumble in; they mapped your environment over weeks, systematically disabling shadow copies and sabotaging recovery mechanisms while hiding behind your own administrative tools. This isn't just a technical failure, it’s the moment you realise the "safety net" was cut before you even started falling.

ALPHV has been associated with some of the most disruptive incidents in recent years, including attacks that crippled healthcare operations and impacted tens of millions of individuals’ data. What makes ALPHV especially dangerous is its focus on the infrastructure that underpins resilience: identity and backups. Affiliates are known to:​

• Abuse Active Directory and Entra ID, create new privileged accounts, and manipulate group policies to maintain persistence.
• Delete shadow copies, tamper with recovery settings, and directly target commercial backup solutions.
• Exfiltrate large volumes of regulated and sensitive data (such as PHI and PII) to increase extortion leverage.​

Phase 1: Containment & Immutable Survival

For many organisations, downtime becomes a safety and continuity issue. Regulatory bodies now explicitly recommend immutable or logically air-gapped backups because backups that share the same trust plane as production are easy targets once attackers obtain privileged credentials.​

How Rubrik helps: Rubrik uses a purpose-built, immutable file system that never exposes backup data over open protocols like NFS or SMB and enforces write-once, read-many semantics. Once data is written, it cannot be modified or deleted, even by an administrator whose credentials have been stolen. By ensuring the "Delete" command simply cannot be executed against your backups, you effectively remove the attacker’s greatest lever from the negotiation. When they realise they cannot destroy your safety net, the primary "teeth" of their triple extortion strategy are pulled, shifting the power back to your recovery team.

Phase 2: Restoring Trust in Identity (AD & Entra ID)

Because ALPHV relies heavily on identity abuse, creating rogue admin accounts, pushing malicious GPOs, and exploiting token theft, Rubrik extends protection into the identity plane.

How Rubrik helps: Identity resilience capabilities continuously monitor Active Directory and Entra ID for suspicious changes, such as new high-privilege users or altered group memberships or malicious GPO modifications linked to attacker persistence. When malicious changes are detected, teams can roll them back, restoring a known-good identity state and cutting off the attacker’s foothold.

Phase 3: ML-Driven Scoping & Clean Point Validation

ALPHV’s flexible encryption behaviour and use of intermittent encryption demand detection that goes beyond signatures.

How Rubrik helps: Rubrik applies machine learning to backup snapshots as they are ingested, looking for patterns such as sharp increases in data change rates and high-entropy file modifications. This approach helps teams quickly identify blast radius via RSC dashboard when encryption began, which systems were affected, and which snapshot represents the last known clean state. This analysis happens out-of-band, the attacker still lurking in your production environment has no idea you are already scoping the damage and identifying the exact second the encryption began.

Phase 4: Eradication & Malware Hunting

Because backup data gives a full historical view of the environment, it is a powerful hunting surface for ALPHV indicators: ransom note patterns, known binaries, and C2 traces.

How Rubrik helps: Rubrik’s threat hunting capabilities allow security teams to scan backups for ALPHV-specific IOCs and then logically quarantine suspicious snapshots. By doing this out-of-band, teams can validate recovery points and avoid re-injecting malware into the restored environment.

Phase 5: Managing Exfiltration & Risk

ALPHV’s triple extortion depends heavily on the value of stolen data.

How Rubrik helps: Rubrik’s sensitive data discovery continuously analyses backup data for regulated information such as PHI, PII, and financial records. In an incident, this visibility helps teams quickly estimate what may have been exposed and prioritise the most sensitive datasets for recovery.

For executives and risk owners, ALPHV/BlackCat is a litmus test of whether the organisation’s cyber resilience strategy is truly data-centric. Rubrik’s approach helps shift ransomware from an existential event to a severe but manageable incident.

ALPHV is attacking the full kill chain. Download the full response guide to operationalise your defense. Defeating ALPHV/BlackCat Ransomware with Rubrik