BlackNevas Ransomware Encrypts Files, Exfiltrates Corporate Data

Countries with most cyberattacks stopped highlighting global cyber defense efforts, including key regions in Asia-Pacific and North America. 

BlackNevas has released a comprehensive attack strategy spanning three major regions, with the Asia-Pacific area bearing the heaviest burden of attacks at 50% of total operations.

The group’s primary targets in this region include major economies such as Japan, Thailand, and South Korea, leveraging the region’s dense industrial and technological infrastructure.

European operations focus strategically on Western Europe and Baltic Sea nations, including high-value targets in the United Kingdom, Italy, and Lithuania.

These countries represent critical economic hubs with substantial digital infrastructure, making them attractive targets for ransomware operations.

In North America, the group has concentrated efforts on Connecticut in the United States, suggesting a selective approach to target identification.

The threat actors operate through a dual-extortion model, combining file encryption with sensitive data theft.

Unlike traditional Ransomware-as-a-Service (RaaS) Emerges as a Leading Framework for Cyberattacks (RaaS) operations, BlackNevas maintains direct control over their infrastructure, threatening victims through their proprietary data leak site (DLS) and affiliated partner networks.

This approach amplifies pressure on victims by threatening public data exposure alongside system disruption.

Technical Analysis of Encryption Methods

BlackNevas employs a hybrid encryption system combining AES symmetric encryption with RSA public key cryptography, creating an virtually unbreakable encryption scheme.

The ransomware adds the distinctive “.-encrypted” extension to compromised files, serving as a clear indicator of successful infection.

The malware supports multiple command-line arguments that modify its behavior significantly. The /allow_system parameter enables encryption of critical system paths, while /fast mode encrypts only 1% of each file for rapid deployment.

The /full argument triggers complete file encryption, and /path allows specification of targeted directories.

Additional parameters include /debug for execution logging, /stealth for covert operations, and /shdwn for system shutdown post-encryption.

When no specific encryption mode is specified, BlackNevas defaults to encrypting the first 10% of each file, balancing speed with effectiveness.

This approach ensures critical file headers are corrupted while maintaining operational efficiency during large-scale deployments.

The ransomware demonstrates sophisticated path analysis, avoiding system-critical directories containing “system32” or “windows” strings while targeting all other accessible locations.

This runtime evaluation approach differs from traditional ransomware that relies on predefined exclusion lists, making BlackNevas more adaptable to diverse system configurations.

Specific file types remain protected to maintain system stability, including system files (.sys, .dll, .exe), logs, and virtual machine components (.vmem, .vswp, .vmxf).

The ransomware also preserves its own ransom note “how_to_decrypt.txt” and the critical “NTUSER.DAT” file to prevent complete system failure.

BlackNevas implements a unique file naming convention during encryption, creating two distinct categories: standard encrypted files receive “random name.random name.-encrypted” formatting, while demonstration files get “trial-recovery.random name.random name.-encrypted” naming.

The trial-recovery designation applies to common document formats including .doc, .docx, .hwp, .jpg, .pdf, .png, .rtf, and .txt files, likely serving as proof-of-concept demonstrations for victims.

Encryption Process and Data Structure

The ransomware employs sophisticated encryption verification methods, checking 8-byte values at file endings to determine encryption status rather than relying solely on file extensions.

This approach uses “E” designation for standard extension changes and “R” for trial-recovery file types, with the same 8-byte value indicating additional data size appended to original files.

During encryption, BlackNevas generates unique AES symmetric keys for each file, then encrypts these keys using RSA public key cryptography before embedding them within the encrypted files.

This methodology ensures that no decryption keys remain accessible in the local environment, making unauthorized recovery impossible without the attackers’ private RSA key.

The encryption process leaves a specific data structure at each file’s conclusion, containing encrypted AES keys and metadata necessary for legitimate decryption.

This design makes the encryption functionally irreversible without cooperation from the threat actors, as breaking RSA encryption remains computationally infeasible with current technology.

Following successful encryption, BlackNevas deploys ransom notes titled “how_to_decrypt.txt” throughout infected systems, placing copies in every accessible directory except excluded folders.

The threat actors present themselves as “professionals in file encryption and industrial espionage activities,” emphasizing their technical capabilities and criminal expertise.

The ransom note establishes a seven-day deadline for initial contact, threatening to leak stolen data through multiple channels including partner networks, public blogs, and underground auction platforms.

This multi-pronged threat strategy increases pressure on victims while providing multiple monetization options for stolen information.

Communication occurs through email and Telegram channels specified within the ransom notes, allowing victims to initiate decryption negotiations.

The absence of network communication post-encryption demonstrates the malware’s sophisticated design, minimizing detection opportunities while maximizing operational security.

Defensive Implications

The BlackNevas ransomware represents a significant evolution in ransomware sophistication, combining advanced encryption techniques with global targeting strategies and data theft operations.

The group’s focus on the Asia-Pacific region, encompassing 50% of their operations, signals a strategic emphasis on high-value economic targets with substantial digital infrastructure.

Organizations face a dual threat scenario where traditional backup strategies may prove insufficient against the combined encryption and data theft approach.

The impossibility of unauthorized decryption, stemming from the hybrid AES-RSA encryption implementation, emphasizes the critical importance of preventive security measures over reactive recovery strategies.

The ransomware’s adaptive path analysis and runtime exclusion determination make it particularly challenging to defend against using traditional signature-based detection methods.

Organizations must implement comprehensive endpoint detection and response solutions capable of identifying behavioral indicators rather than relying solely on known file signatures or hash-based detection methods.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!