BlackNevas is a ransomware group active since November 2024 that targets organizations across Asia-Pacific, Europe, and North America, using AES to encrypt files and then encrypting the AES key with RSA, rendering files practically undecryptable without breaking RSA. The group uses distinctive filename patterns (including a “trial-recovery” prefix for some file types), supports runtime arguments controlling encryption behavior, and threatens data leaks via its data leak site and partners. #BlackNevas #Ransomware-as-a-Service
Keypoints
- BlackNevas first appeared in November 2024 and has targeted organizations across Asia-Pacific (50% of victims), Europe, and North America.
- The group encrypts files with AES and then encrypts the AES key with an RSA public key, making decryption infeasible without breaking RSA.
- BlackNevas supports command-line arguments (/allow_system, /fast, /full, /path, /debug, /stealth, /shdwn) that control encryption scope, speed, logging, and post-encryption behavior.
- Files are renamed in two formats: “random name.random name.-encrypted” or “trial-recovery.random name.random name.-encrypted” for selected extensions used as decryption demonstrations.
- The ransomware conditionally excludes paths containing strings like “system32” or “windows” and specific files/extensions (e.g., NTUSER.DAT, how_to_decrypt.txt, sys, dll, exe) instead of relying on a static exclusion list.
- BlackNevas determines whether a file is already encrypted by checking an 8-byte value at the file end indicating type (“E” or “R”) and size of appended data, not by extension.
- Ransom notes (how_to_decrypt.txt) are dropped in all non-excluded folders and instruct victims to contact the actor via email or Telegram, with threats to leak or auction stolen data within 7 days.
MITRE Techniques
- [T1486] Data Encrypted for Impact – BlackNevas encrypts files using AES and appends the AES key encrypted with an RSA public key to the file, leaving “no clues … in the local environment that can be used to decrypt the file” (“no clues left behind in the local environment that can be used to decrypt the file”).
- [T1059] Command and Scripting Interpreter – The ransomware accepts multiple command-line arguments (/allow_system, /fast, /full, /path, /debug, /stealth, /shdwn) to control encryption behavior (“supports multiple arguments … Behavior according to the parameter value”).
- [T1485] Data Destruction (partial) – The “/shdwn” parameter terminates the system after file encryption, causing disruption (“Terminates system after file encryption”).
- [T1176] Browser Extensions (related technique for data leak sites) – The group threatens to publish stolen data on their data leak site (DLS) and to share with affiliated partners (“breach of their data will be handed over to their own data leak site (DLS) and affiliated partners”).
- [T1490] Inhibit System Recovery – BlackNevas excludes critical system paths and specific extensions but otherwise encrypts files broadly, and it uses checks to avoid encrypting inaccessible or protected system paths to maintain system instability while avoiding total destruction (“does not encrypt paths that are inaccessible … or paths that contain the string ‘system32’ or ‘windows’”).
Indicators of Compromise
- [File Name Patterns] Encrypted files and ransom notes – examples: “*.randomname.randomname.-encrypted”, “trial-recovery.randomname.randomname.-encrypted”, and “how_to_decrypt.txt”.
- [File Extensions] Extensions targeted or handled specially – examples: doc, docx, hwp, jpg, pdf, png, rtf, txt (use “trial-recovery” prefix for demonstration); excluded extensions include sys, dll, exe, log, bmp.
- [MD5 Hashes] Sample malware/engine artifacts – examples: 2374998cffb71f3714da2075461a884b, 4a1864a95643b0211fa7ad81b676fe2e; and 2 more hashes (9f877949b8cbbb3adfe07fd4411b9f26, f2547a80dd64dcd5cba164fe4558c2b6).
- [Communication Channels] Threat actor contact methods – examples: Telegram address shown in ransom note, and email contact specified in ransom note.
Read more: https://asec.ahnlab.com/en/90080/