BlackNevas – The Double-Edged Cyber Threat Encrypting Data and Looting Corporate Secrets

The BlackNevas ransomware group, which emerged in late 2024, has rapidly established itself as a formidable threat to enterprises and critical infrastructure worldwide.

Unlike many modern ransomware syndicates that operate under the Ransomware-as-a-Service (RaaS) model, BlackNevas functions independently, carrying out targeted campaigns with devastating precision.

Their operations span Asia, Europe, and North America, with a significant concentration in the Asia-Pacific region, where nearly half of their known attacks have been recorded.

Japan, Korea, and Thailand have been primary targets, while in Europe, the group has hit the UK, Italy, and Lithuania. In North America, even localized regions such as Connecticut have not escaped their reach.

A Complex Encryption Engine

BlackNevas employs a hybrid encryption mechanism, combining AES symmetric key encryption with RSA encryption for key protection.

Once files are encrypted, the extension “.-encrypted” is appended to them, and the AES keys used are secured with RSA public key technology, effectively making file recovery impossible without cooperation from the attackers.

Uniquely, BlackNevas skips predefined exclusion lists shared to other families. Instead, it performs conditional runtime checks on directories, avoiding critical system files like “system32” or “windows” while excluding specific files such as “NTUSER.DAT” and “how_to_decrypt.txt”.

Several file extensions, including “dll,” “sys,” and virtualization-related files, are also preserved from encryption to prevent breaking system stability.

The group’s encryption strategy introduces two distinct naming conventions for encrypted files: either “random.random.-encrypted” or “trial-recovery.random.random.-encrypted.”

The latter serves as a demonstration, applied only to file types such as “doc,” “jpg,” or “pdf,” allowing victims to verify that their files can indeed be restored.

Unlike other ransomware families that detect infected files by checking extensions, BlackNevas leverages embedded 8-byte markers at the end of files, ensuring a more stealthy infection cycle.

Blackmail and Threat Tactics

The ransom note, always named “how_to_decrypt.txt,” is scattered across all accessible directories. The message adopts a blend of professionalism and intimidation, describing the operators as experts in file encryption and industrial espionage.

Victims are threatened with the public auction of their data or distribution via a dedicated data leak site (DLS) if demands are ignored. Communication is limited to email and Telegram, with ransom amounts undisclosed until contact is established.

Unlike other groups, no additional network communication occurs after encryption, minimizing network visibility during execution.

Rising Threat to Corporations

BlackNevas’ focus on stealing intellectual property and combining encryption with extortion marks it as a double-edged danger. The ransomware’s expansion beyond Asia into Europe and localized attacks in America demonstrate its global ambitions.

With no public decryption options available due to the strong AES-RSA scheme, organizations are left reliant on preventive defenses.

Cybersecurity firms, including AhnLab, have updated detection engines to identify BlackNevas variants, underscoring the urgency for businesses to bolster monitoring and incident response capabilities before falling prey to this evolving threat.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post BlackNevas – The Double-Edged Cyber Threat Encrypting Data and Looting Corporate Secrets appeared first on Cyber Security News.