Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis

Sept. 12, 2025, 8:23 a.m.

Description

The BlackNevas ransomware group, first appearing in November 2024, has been targeting various industries and critical infrastructure globally, with a focus on the Asia-Pacific region. The group uses AES and RSA encryption, adding the '.-encrypted' extension to affected files. BlackNevas operates independently, threatening to leak data on their own site and through partners. The ransomware supports multiple arguments, excludes certain system paths and file types from encryption, and uses a unique method to check for previous infection. It also creates ransom notes in all accessible folders, demanding negotiation within seven days to prevent data leaks.

External References

https://asec.ahnlab.com/en/90080/
https://otx.alienvault.com/pulse/68c3ce9443e13ce31423a13c
Tags
ransomware
encryption
data leak
global threats
rsa
asia-pacific
aes
2025-09-12
blacknevas

Date

  • Created: Sept. 12, 2025, 7:41 a.m.
  • Published: Sept. 12, 2025, 7:41 a.m.
  • Modified: Sept. 12, 2025, 8:23 a.m.

Indicators

  • ae5cec8b64404037d86f12d1261e669819c84675c74fe09a57cda5099109d8e2
Download all indicators here!

Attack Patterns

  • BlackNevas
  • BlackNevas

Additional Informations

  • Technology
  • Healthcare
  • Finance
  • Government
  • Manufacturing
  • Lithuania
  • Italy
  • Thailand
  • Japan
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America