HOMETHREATSblack nevas
RANSOMWARE OPERATION💰 FINANCIAL

black nevas

1
campaigns
1
aliases

Intelligence Profile

BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct derivative of the Trigona ransomware family and continues the lineage's focus on extortion over public shaming. BlackNevas operators support a double-extortion model, encrypting files using AES-256 with RSA-4112-protected keys, and appending the .-encrypted or .ENCRYPTED file extension to affected files. Hybrid payloads are available for Windows, Linux, NAS, and VMware ESXi platforms. <br/> <br/>While BlackNevas does not host its own data leak site, it reportedly collaborates with other ransomware groups for data publication — known partners include Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, and Mad Liberator. The group has predominantly targeted large enterprises in sectors such as finance, telecommunications, manufacturing, healthcare, and legal. Initial access is commonly achieved via phishing or exploitation of vulnerabilities, with lateral movement facilitated through SMB enumeration and optional LAN-wide propagation.

Threat Analysis

black nevas is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like black nevas prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Known Campaigns

Black Nevas — Active Campaign March 2026

Black Nevas is conducting an active ransomware campaign targeting organizations across 0 countries. 7 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 27 Mar 2026).

ACTIVEMEDIUM2026

External References

Quick Facts

TypeRansomware Operation
Motivation💰 financial
Aliases1

Also Known As

black nevas

DLS Infrastructure

● ONLINEctyfftrjgtwdjzlgqh4avbd35sqrs6tde4oyam2ufbjch6oqpqtkdtid.onion

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
black nevas — Ransomware Operation | Threat Intelligence | CTIWATCH.COM