New analysis from Marlink marks the emergence of Black Shrantac as a rapidly evolving ransomware group that has been active since September 2025 and is increasingly leveraging legitimate administrative tools to infiltrate and operate within enterprise environments. Using double extortion techniques, the ransomware group has been observed exploiting critical vulnerabilities, such as CVE-2024-3400, to gain initial access, often targeting network perimeters before blending into normal system activity to evade detection and maintain persistence.
Marlink’s research highlights a broader tactical shift in ransomware operations, with Black Shrantac relying on trusted tools and existing infrastructure rather than custom malware to accelerate attacks and reduce visibility for defenders. The approach enables faster execution, limits traditional detection opportunities, and reflects a growing trend among threat actors to weaponise legitimate technologies, increasing the operational impact on targeted organisations across global sectors.
“Since its first confirmed appearance in September 2025, Black Shrantac has established itself as a credible and persistent ransomware threat targeting organisations across multiple industries and geographies,” Marlink wrote in a blog article published this week. “Unlike some ransomware groups that focus on a specific sector or region, Black Shrantac operates opportunistically – hitting wherever the conditions are right – and has claimed victims in manufacturing, financial services, technology, hospitality, the public sector and business services across different geographies.”
It also noted that Black Shrantac combines ‘well-established’ attack techniques with a deliberate preference for legitimate commercial tools, making detection harder and attribution more complex.
“Black Shrantac’s core business model is double extortion. The attack unfolds in two stages: first, the group exfiltrates large volumes of sensitive data from the victim’s environment; then it deploys ransomware to encrypt files and disrupt operations,” Marlink pointed out. “The victim is subsequently presented with two simultaneous threats – pay to recover access to encrypted systems, and pay to prevent the stolen data from being published publicly.”
To maximise pressure, the group operates a dedicated leak site on the Tor network where it publishes victim names, breach dates and sample data as proof of compromise. Partial data releases are used as a coercion mechanism against organisations that are slow to respond, a tactic that has become standard across the more professional ransomware operators.
Critically, the post identified that paying the ransom does not guarantee that stolen data will not be leaked. Organisations that pay may recover their systems, but still face the reputational and regulatory consequences of a public data exposure. This reality underscores why prevention and early detection are far more valuable than any post-compromise negotiation.
It also mentioned that communication with victims is conducted exclusively via Tox, a peer-to-peer encrypted messaging protocol that avoids more traceable channels and complicates law enforcement efforts to monitor or disrupt negotiations.
Black Shrantac gains initial access by exploiting CVE-2024-3400, a maximum-severity (CVSS 10.0) command injection flaw in Palo Alto Networks PAN-OS GlobalProtect devices. This vulnerability lets an unauthenticated attacker run arbitrary OS commands as root. Targeted devices ran PAN-OS 11.0.0, an end-of-life version with no patches applied.
After compromising the perimeter device, the group plants a trojanized GlobalProtect MSI installer directly in the firewall’s update portal. Administrators downloading what appears to be a routine software update unknowingly execute a malicious package that installs the attacker’s remote access tools. The technique is notable because it weaponizes the victim’s own trusted infrastructure as the delivery mechanism.
Marlink observed that after gaining access, Black Shrantac adversaries establish multiple redundant persistence mechanisms. It deploys SimpleHelp, a legitimate commercial remote access tool, as a persistent Windows service to maintain a command-and-control channel that blends in with normal admin traffic. On some hosts, Net Monitor for Employees Agent is also repurposed to sustain covert communication with attacker-controlled infrastructure.
The group additionally creates new Active Directory domain accounts to secure credential footholds that survive the removal of other persistence mechanisms, though this also gives defenders a clear opportunity to set alerts on unauthorized account creation.
For credential access, the group uses the native Windows utility klist[dot]exe to enumerate active Kerberos sessions and harvest tickets for pass-the-ticket attacks. This living-off-the-land approach avoids third-party credential dumping tools that are more likely to trigger endpoint detection.
Once inside, Black Shrantac performs systematic reconnaissance using SoftPerfect Network Scanner, a portable, installation-free utility that leaves minimal forensic traces and runs under legitimate domain credentials to map hosts, services, and network topology.
Lateral movement combines several techniques. RDP is the primary vector across domain controllers, servers, and workstations using both actor-created and compromised accounts; PSExec handles remote command execution over SMB; MightyViewer provides interactive GUI access to compromised hosts via VNC; and SSHFS-Win with WinFsp enables remote directories to be mounted as local drives over SSH, allowing quiet file access without the traffic patterns typical of file transfer tools.
The consistent use of legitimate, commercially available tools throughout the attack is deliberate, with each having a plausible enterprise use case, making it difficult to distinguish attacker activity from normal administrative operations.
“Before deploying ransomware, Black Shrantac systematically dismantles the victim’s defences,” Marlink said. “Microsoft Defender real-time protection is disabled via PowerShell. Where third-party endpoint security products are present, the group executes vendor-supplied uninstallation utilities to fully remove them from compromised hosts – notably doing so under the previously created domain account, demonstrating the direct operational link between account creation and defence evasion.”
The post added that Windows event logs are manipulated to limit forensic visibility, and encryptor binaries are renamed with generic filenames to evade signature-based detection controls that rely on static filename or hash matching.
“The final stage of the attack is the deployment of the ransomware payload itself. Black Shrantac uses multiple encryptor binaries executed simultaneously via both manual launch and scheduled tasks, a redundancy measure designed to maximise encryption coverage if any single execution pathway is blocked,” Marlink explained. “The primary encryptor binary follows a naming convention suggesting it is engineered to execute without requiring administrative privileges, widening the range of hosts it can affect.”
It added that the encryptor uses a combination of asymmetric and symmetric encryption for file content encryption, where the encryptor comes with embedded RSA public key and symmetric part of the encryption is being done by AES-256. “The ransom note itself is framed in quasi-commercial language, presenting the intrusion as a business transaction and offering proof-of-decryption for a small number of non-critical files as a confidence-building measure – a pattern consistent with established ransomware playbooks.”
Defenders should monitor for various signals across each attack phase. At the perimeter, unexplained MSI files on the GlobalProtect portal or installers executed from desktop paths outside change management windows warrant immediate investigation.
Inside the network, high-fidelity indicators include: PowerShell using Invoke-WebRequest to reach external IPs from servers; SimpleHelp, Net Monitor, or MightyViewer appearing on hosts with no approved use; new domain accounts granted elevated privileges shortly after creation; scheduled tasks created by non-SYSTEM accounts pointing to user-writable directories; and AD password resets with no corresponding service desk record.
Detection teams should aggressively monitor schtasks[dot]exe activity, as scheduled tasks are central to both persistence and ransomware deployment in this group’s playbook. Kerberos ticket request anomalies (Event ID 4769) and interactive logons (Event ID 4624, Logon Type 10) under generic or service-named accounts across multiple hosts in short timeframes should also be prioritized.
In conclusion, Marlink recognized that Black Shrantac demonstrates that a disciplined, well-organised group armed with commodity tooling and a methodical playbook can cause severe operational and reputational damage to organisations that have left basic security hygiene gaps unaddressed.
“The group’s deliberate preference for legitimate tools, its redundant persistence mechanisms and its systematic approach to disabling defences before deploying ransomware reflect a level of operational maturity that demands an equally mature defensive posture,” according to the post. “Organisations that invest in the fundamentals – patching, identity hygiene, endpoint protection, network segmentation and backup integrity – will be significantly better positioned to detect, contain or prevent an intrusion of this type.”
