BlackField Didn't Just Ransom Nidec. It Published a Price Menu: $2M to Make It Go Away, $5K a Day to Stall, $400K for Anyone to Just Buy Your Data.
- Patrick Duggan
- 18 minutes ago
- 5 min read
# BlackField Didn't Just Ransom Nidec. It Published a Price Menu: $2M to Make It Go Away, $5K a Day to Stall, $400K for Anyone to Just Buy Your Data.
A ransomware group calling itself BlackField hit a Taiwanese subsidiary of the Japanese motor-manufacturing giant Nidec in late June 2026, claimed more than two terabytes of corporate data, and demanded two million dollars. That part is routine — grim, but routine. What makes BlackField worth stopping on is not its malware, which is largely unknown, or its sophistication, which is unproven. It is the pricing. On its leak post, BlackField did not just say "pay or we publish." It published a menu: two million dollars for the victim to make the whole thing disappear, five thousand dollars to buy the victim a single extra day on the deadline, and — the one that should chill any board — four hundred thousand dollars for anyone at all to simply download the stolen data now. Ransomware has been drifting toward a retail business for years. BlackField printed the price list.
What is actually known
We are going to be disciplined about this, because the honest thing to say about BlackField is that we do not know much, and pretending otherwise would be exactly the kind of invented-confidence we refuse to trade in. There is, as of this writing, no well-documented profile of BlackField's malware internals, its initial-access tradecraft, its encryption scheme, or its origins. It is a newer name on the leak-site circuit, and the technical fingerprints that let researchers connect a crew to a lineage or a nation are not yet public.
What is documented is the incident and the terms. The confirmed damage was to Nidec Chaun Choung Technology, a Taiwanese subsidiary of Nidec Corporation, with the intrusion surfacing around June 22. BlackField claimed more than two terabytes — employee records, financial data, procurement, manufacturing, legal, and IT files — and posted sample documents and file structures as proof. It gave Nidec more than fifteen days to negotiate. And it attached the pricing that makes the post notable.
The menu is the story
Read the three prices as a business model, because that is what they are.
Two million dollars is the classic ask: the victim pays, and in theory the data is deleted and the leak never happens. Standard double extortion.
Five thousand dollars to extend the deadline by one day is a smaller, stranger line item, and it tells you something about the psychology BlackField is engineering. It manufactures urgency and then sells relief from it in cheap increments — a victim panicking about a countdown can buy a little time for the price of a laptop, which keeps them engaged, keeps them negotiating, and keeps the meter running. It is the extortion equivalent of a late fee.
But the four-hundred-thousand-dollar line is the one that changes the calculus, because it is not aimed at the victim at all. It is a price for the general public — for competitors, for data brokers, for a rival ransomware crew, for anyone — to buy the stolen corporate data outright, immediately, without waiting for a leak. That transforms the threat. In a pure pay-or-leak model, a victim's data has one buyer's worth of leverage. In BlackField's model, the data is a product on a shelf with a sticker price, and paying the two-million-dollar ransom does not necessarily remove it from the shelf — someone may have already bought it for four hundred thousand. The victim is no longer negotiating to prevent a leak. They are negotiating against a live marketplace for their own records.
This is the direction the whole ecosystem has been heading, and we have written about pieces of it — crews that subcontract their leaks, launderers who move money for fifteen gangs at once, extortion decoupling from encryption entirely. BlackField's menu is that trajectory made explicit. The stolen data is inventory. The victim is one customer among several. The leak site is a storefront.
The other quiet lesson: Nidec has been here before
There is a second thread worth pulling. This is not Nidec's first ransomware incident — a different breach hit a Vietnam-based Nidec division back in October 2024, exposing tens of thousands of files. Two incidents, two different overseas units, two years apart. That is the same periphery lesson the current wave of Japanese breaches keeps teaching: the flagship is not where the attackers get in, the subsidiaries and the overseas divisions are, and a global manufacturer's real attack surface is every branch plant and acquired unit that holds data under the parent's name. A company can harden headquarters to a fault and still get hit, repeatedly, through the parts of itself that are furthest from the security budget.
What to actually do
Rewrite the ransom-negotiation assumption. If your incident plan still treats a ransom demand as "pay to prevent the leak," update it for the marketplace model BlackField is advertising: paying may not pull your data off the shelf if a third party can buy it in parallel, which means your plan needs a data-already-gone branch — legal notification, customer disclosure, credential and secret rotation, regulator engagement — that does not depend on the attacker keeping a promise. Assume exfiltrated data is exfiltrated for good.
Map and defend the periphery, because that is where this and the last one came in. Inventory every subsidiary, overseas division, and acquired unit that holds data under your brand, and hold them to the same authentication, monitoring, and backup standard as headquarters. A repeat victim is usually a company that fixed the front door twice while the side doors stayed open.
And watch the leak-site marketplaces, not just for your own name but for your suppliers' and subsidiaries' names, because a "$400,000 buy-it-now" on a partner's data is your exposure too. Newly-posted victims and priced data listings belong in your threat-intelligence intake, so that the first time you learn your data is for sale is not when a competitor calls to gloat.
Why we are naming a thin-profile actor
BlackField does not yet have the kind of technical dossier we would normally build an actor file around, and we are not going to fabricate one to look authoritative. What it has is a business model stated out loud, and business models travel faster than malware — other crews read leak posts too, and a pricing scheme that works gets copied within weeks. That is why the menu is worth flagging even when the malware is a mystery: the innovation here is commercial, not technical, and commercial innovations in this ecosystem propagate. We will cap it at ninety-five percent, as always — attribution and details will firm up or shift as researchers dig in, and some of what is claimed on a leak post is theater. But the price list is real, it is public, and it is a preview. Ransomware is finishing its transformation from a hostage crisis into a retail operation. BlackField just showed you the register.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
