BlackCat Ransomware Recovery (Aka ALPHV)

Did BlackCat ransomware infect your network? If so, it may be an emergency, but don’t panic. We are here to provide you with all the resources you need about BlackCat decryption, recovery, removal and statistics. Go through our detailed ransomware recovery process or get a FREE quote now.

Don’t wait before it causes more damage to your network.

BlackCat Ransomware

How do I know if BlackCat Ransomware has infected my system?

BlackCat Ransomware are Trojans that encrypt your entire network or specific machines of value. Upon notice of an attack, you are then given instructions of paying a specific amount in ransom to decrypt your files. BlackCat has been called “2021’s most sophisticated ransomware”.

First identified circa Dezmeber, 2021, the gang behind this virus is allegedly the ALPHV group, which deploys Ransomware-as-service model to distribute exploit kits, attack unprotected RDP servers, and install backdoor payloads. According to current intelligence, this is a rebranding of the ransomware group BlackMatter, which has ceased operations due to intense pressure from law enforcement.

  • Here is how BlackCat ransomware infects your computer or network:
  • A popup message stating about the encryption of your data and paying a ransom.
  • BlackCat changes the file extensions to a random 6 or 7-digit combination of numbers and letters that is different for each victim.
  • You receive a RECOVER-xxxxxx-FILES.txt file with the message on how to pay the ransom and recover your files
  • Your CPU utilization peaks at 100%
  • Your hard drives continue processing data in the background, making your system extremely sluggish.
  • You are barely able to open any application including your antivirus software, which gets deactivated.

What should I do when my data has been encrypted by BlackCat Ransomware?

  1. Disconnect your systems right away and isolate any associated backup hard drives from the network to prevent the spread of the ransomware encryption. For more information, download out Ransomware Response Emergency Guide.
  2. Do not attempt to contact ransomware attackers to recover your files for now, it will only complicate the situation.
  3. Call in experts immediately to assess the damage and review possible recovery options and avoid costly consequential failures.

Keep calm! Contact us, we can help you!

Ransomware Recovery Ransomware Decryption


Compared to other ransomware variants, the ransom amounts demanded by BlackCat attackers can vary largely. The cyber criminals use a dark web browser known as TOR to automate their operations and manage affiliates.

But that doesn’t mean that these hackers do not have the gumption to demand a hefty extortion amount based on organizational size. The average BlackCat ransom amount is somewhere between $15,500–$120,000, with some victims reporting demands well into the millions of dollars. But it isn’t limited to the ransom demand.

Victims are faced with unexpected costs in buying and transferring bitcoins, mostly the 10% exchange fees applying to the quick buy methods of Paypal and/or Credit Cards. Along with potential threats to have their personal and business information leaked or sold on the internet if demands are not met.

The BlackCat ransomware downtime is a relatively shorter than normal ransomware attacks, since most attackers use automated TOR sites for accepting payments and expediting the process.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

You need to get your systems back up and hit the ground running as soon as possible. We’ll ensure minimum downtime once you let experts like BeforeCrypt to manage your situation and recover data.

There is a high chance to get a working BlackCat decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.

Most of the victims have reported getting a decryption key successfully on getting their data in original form.

Security vulnerabilities, unsecured Remote Desktop Protocols and spear phishing emails. These are the primary reasons of how BlackCat infects and encrypts your system.

NameBlackCat Virus / BlackCat Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes, steals data and encrypts files
Release dateDecember 2021
OS affected- Windows 7 and higher (7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022)
- Windows XP and 2003
- Vmware ESXI
- Debian and Ubunto Linux
- ReadyNAS, Synology, QNAP
Antivirus detection namesAvast (Win32:Malware-gen), Kaspersky (UDS:Trojan.Win32.Agentb.a), Malwarebytes (Malware.AI.2115381737), Microsoft (Trojan:Win32/Woreflint.A!cl)
Appended file extensionsA 6 or 7-digit file extension is randomly generated and differs for each victim.
Cybercriminal ContactThe attackers communicate exclusively via a TOR portal on the Darknet.
Public Victim Bloghttp://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion (Accessible by TOR Browser only)

BlackCat Ransomware Note: Text file

>> Introduction

Important files on your system was ENCRYPTED and now they have have “xxxxxxx” extension.
In order to recover your files you need to follow instructions below.

>> Sensitive Data

Sensitive data on your system was downloaded and it will be PUBLISHED if you refuse to cooperate.


Data includes:
– Employees personal data, CVs, DL, SSN.
– Complete network map including credentials for local and remote services.
– Financial information including clients data, bills, budges, annual reports, bank statements.
– Complete datagrams/schemas/drawing for manufacturing in solidworks format
– And more…






>> Recovery procedure


Follow these simple steps to get in touch and recover your data:
1) Download and install Tor Browser from: hxxps://
2) Navigate to: (REMOVED TOR URL)


Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “RECOVER-(unique-number)-FILES.txt” and contains all the necessary information to contact the BlackCat Ransomware attackers to get your data back. The 6 or 7-digit file extension is randomly generated and differs for each victim. It’s usually safe to open this file, just be sure the full file extension is *.txt.

BlackCat Victim Data Publication Blog: TOR website



This is an excerpt from the publicly available blogs of the Ransomware Family. This contains extensive stolen corporate data.



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is an average BlackCat ransomware attack. Copyright by 7R0(K-7R



By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

This is a technical demo of the BlackCat Decryptor. Copyright by BeforeCrypt


The only way to know precisely how much ransomware response will cost is to contact us for a free consultation.

Ransomware response cost varies according to the type of attack, how much data is affected, the number of computers infected, and your local environment (computer performance, servers, operating systems). The response includes removal of the ransomware, negotiations with attackers and transferring payment if necessary, restoring data, patching the vulnerability that led to the attack, and preparing all documentation for legal compliance and insurance claims. The course of action our clients choose also affects the overall cost. 

The minimum cost for small companies generally starts around several thousand euros, including the cost of the ransom. However, if at all possible, we strongly recommend avoiding paying the attackers. Paying the attackers encourages them to harm more people. However, if it is not economically feasible, we handle fully legally compliant payments to attackers. The overall expense depends a lot on the ransom amount demanded, and how successful negotiations are. We maintain a database on ransomware gangs to negotiate more effectively. In some cases, negotiations can result in a significant reduction in the ransom payment.

We have a greater than 98% success rate.

In the case of most of our clients who have cyber insurance, their coverage pays the cost of our services, as well as the ransom, if necessary. 



  1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.

  2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 

  3. Cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. We guide you through the whole process of creating a crypto currency wallet and buying the crypto currency with you. Therefore we have different cooperation partner in order to prepare your wallet and do the transaction as quick and easy as possible for you. 

  4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.

  5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.
  1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures. 

  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 

  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware recovery service can help to identify and patch security gaps. 

BeforeCrypt is founded, established, licensed and registered in Germany as an GmbH business with worldwide operations. We have a full-time team of staff, contractors and cybersecurity consultants ready to work with you round the clock.

Although based in Germany, our support is available 24/7 and in 20 languages. You can use our contact form here to submit a ransomware ticket.

We are always happy to assist our clients and get them back up and running in minimal time as possible.

In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.

Need fast help with BlackCat ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data