BlackNevas Ransomware Encrypts Files and Steals Sensitive Data From Affected Companies

The BlackNevas ransomware group has emerged as a significant threat since November 2024, continuously launching devastating attacks against businesses and critical infrastructure organizations across Asia, North America, and Europe.

This sophisticated malware operation combines file encryption with data theft tactics, threatening to leak stolen information if ransom demands are not met within seven days.

The ransomware demonstrates a particularly aggressive targeting strategy, with approximately 50% of its attacks focused on the Asia-Pacific region.

Countries including Japan, Thailand, and South Korea have experienced substantial impacts, while European targets span Western Europe and the Baltic Sea region, including the United Kingdom, Italy, and Lithuania. In North America, the group has specifically targeted organizations in Connecticut.

ASEC researchers identified that BlackNevas operates independently without following the traditional Ransomware-as-a-Service model.

The threat actors maintain their own data leak site and claim partnerships with affiliated groups to pressure victims into compliance.

The malware appends the distinctive “.-encrypted” extension to compromised files, making the encryption immediately apparent to victims.

Unlike many ransomware variants that incorporate anti-debugging or sandbox evasion techniques, BlackNevas takes a different approach by supporting multiple command-line arguments that modify its behavior.

The malware includes parameters such as “/fast” for encrypting only one percent of file content, “/full” for complete file encryption, and “/stealth” for changing extensions and creating ransom notes during the encryption process.

Advanced Encryption Implementation and File Targeting Strategy

The ransomware employs a sophisticated dual-encryption approach combining AES symmetric keys with RSA public key cryptography.

During the encryption process, BlackNevas generates a unique AES key for each file, encrypts the content, then secures the AES key using an embedded RSA public key before appending it to the end of the encrypted file.

The malware demonstrates selective targeting by excluding critical system files to maintain system stability.

Protected extensions include sys, dll, exe, log, bmp, vmem, vswp, vmxf, vmsd, scoreboard, nvram, and vmss files, along with specific files like “NTUSER.DAT” and its own ransom note “how_to_decrypt.txt”.

Interestingly, BlackNevas creates two distinct filename patterns during encryption: standard files receive randomized names with the “-encrypted” extension, while specific document types including doc, docx, hwp, jpg, pdf, png, rtf, and txt files are prefixed with “trial-recovery” as a demonstration of decryption capabilities.

The encryption verification process involves checking 8-byte values at file endings to determine encryption status and file type classification.

This methodology eliminates local decryption possibilities, as the RSA private key remains exclusively with the attackers, making file recovery impossible without paying the ransom or possessing advanced cryptographic capabilities.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.