BlackNevas Doesn't Leak Your Data Itself. It Subcontracts the Threat to Six Other Gangs. That's the Part Worth Watching.
- Patrick Duggan
- 2 hours ago
- 4 min read
# BlackNevas Doesn't Leak Your Data Itself. It Subcontracts the Threat to Six Other Gangs. That's the Part Worth Watching.
BlackNevas is a ransomware crew that surfaced in the second half of 2025 and has been quietly building a victim list across technology, manufacturing, energy, healthcare, finance, and telecom, on three continents. The encryption is competent, the initial access is boring, the extortion is ruthless — standard modern ransomware, in other words. But it does one thing that is worth stopping on: when BlackNevas threatens to publish your stolen files, it does not always publish them itself. It hands them to other ransomware groups to leak on its behalf — a roster of at least six named crews. That is not a detail. That is a preview of where the ransomware economy is going, and it changes what a data-exposure threat actually means for you.
The boring, dangerous mechanics
Let us get the standard parts out of the way, because they matter for defense even when they are not novel. BlackNevas is derived from Trigona, an earlier ransomware family, and it inherited Trigona's habits — including a network-spreading capability toggled by a command-line flag that walks the local network over SMB. The encryption is a hybrid scheme: fast symmetric AES to lock the files, wrapped in RSA public-key cryptography so only the operator can unlock them. Encrypted files get a distinctive tell — an extension ending in "-encrypted" — and victims are pointed at email or Telegram to negotiate.
The way in is the way in for almost everyone now: valid accounts. BlackNevas operators favor logging in with legitimate stolen credentials over exploiting some exotic zero-day, supplemented by spear-phishing and the opportunistic use of known vulnerabilities. This is the unglamorous truth of 2026 ransomware — the front door is usually unlocked, because the key was phished, purchased, or reused. Every hardening dollar you spend on multi-factor authentication and credential hygiene buys down more risk than another expensive detection appliance.
The part that is actually new: extortion as a subcontract
Here is the piece that makes BlackNevas worth a profile rather than a footnote. Traditional ransomware groups run their own data-leak site — the "name and shame" wall where they post stolen files if the victim does not pay. It is core infrastructure, and it is a liability: leak sites get seized, hosting gets pulled, the operators have to keep the lights on.
BlackNevas has been observed offloading that function. Rather than relying solely on its own leak site, it collaborates with other ransomware operations to publish stolen data — reported partners include Kill Security, Hunters International, DragonForce, Blackout, Embargo, and Mad Liberator. Read that list again. That is one crew borrowing the megaphones of six others.
Think about what that does to the threat model. When a single-gang operation threatens to leak your data, you are dealing with one adversary, one leak site, one set of infrastructure that law enforcement can pressure. When BlackNevas threatens you, the threat is distributed — your files could surface on any of several independent leak platforms, run by groups with their own audiences, their own resilience, and their own reasons to keep the pressure on. Takedowns get harder. Negotiation gets murkier, because you no longer know for certain who ends up holding your data. The extortion has been turned into a supply chain, and like every supply chain, it is more robust than the sum of its parts.
We have spent a lot of this year documenting supply-chain thinking on the attacker side — malicious packages, compromised vendors, trust-relationship island-hopping. This is the same logic pointed at the back half of the ransomware business: don't own the whole operation, rent the parts that are risky to hold. It is efficient, it is resilient, and it is bad news for anyone whose incident plan assumes a single, identifiable extortionist on the other end.
What to actually do
Treat the initial-access reality as the main event. Because BlackNevas leans on valid accounts, the highest-leverage defenses are the unglamorous ones: phishing-resistant multi-factor authentication on every remote-access and identity surface, aggressive review of dormant and over-privileged accounts, and alerting on logins that are technically valid but behaviorally wrong — impossible travel, off-hours administrative access, first-time-seen source networks. A stolen credential is only as useful as the door it still opens.
Watch for the lateral movement, not just the encryption. Trigona-lineage SMB spreading means the window between first foothold and full encryption is where you win or lose. Monitor for unexpected SMB enumeration and internal scanning from a single host, and segment your network so that one compromised machine cannot reach the whole file estate. By the time you see the "-encrypted" extension, you are doing forensics, not defense.
And rewrite the extortion branch of your incident plan for a distributed threat. Assume that a data-exposure threat may play out across multiple independent leak sites, not one. That changes your legal notification calculus, your communications plan, and your assessment of whether paying even removes the data from circulation — with a subcontracted leak model, it may not. Plan for the data being gone, because increasingly, once it has been handed around, it is.
Why we are putting them on the record
We track actors so a defender has a structured file to pivot on, not just a memory of a headline. BlackNevas was almost a blank space in our corpus — we had a single indicator, the group's Telegram handle, harvested from a public feed, and nothing else. That is not coverage; that is a breadcrumb. This piece and the profile behind it turn the breadcrumb into something a defender can actually use, with the initial-access reality and the distributed-extortion twist attached.
We will credit where it is due: the researchers who dissected the Trigona lineage, mapped the partner roster, and pulled the encryption internals did the hard forensic work, and this is a synthesis of it aimed at defenders, not a claim of original discovery. And we will cap it at ninety-five percent, as always — partner rosters shift, ransomware crews rebrand and betray each other constantly, and some of what is true about BlackNevas today will be stale by autumn. But the structural move — outsourcing the leak, distributing the extortion, renting resilience instead of building it — is the part that will outlast the name. Watch that. It is coming to a threat model near you whether BlackNevas survives or not.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
