BlackNevas Ransomware: A Persistent Global Threat With Impossible-to-Decrypt Payloads
Ddos 
AhnLab researchers have published a technical analysis of BlackNevas, a ransomware group that has been steadily launching attacks across industries and regions since late 2024. With a focus on the Asia-Pacific region but operations spanning Europe and North America, BlackNevas employs a combination of strong encryption methods and extortion tactics that leave victims with no path to decryption unless they comply with ransom demands.
According to the report, “The BlackNevas ransomware group first appeared in November 2024 and has since been continuously attacking various businesses and critical infrastructure organizations in Asia, North America, and Europe.” While the group does not operate as a Ransomware-as-a-Service (RaaS), it maintains its own data leak site (DLS) and threatens to publish or auction off stolen data if victims refuse to pay.
AhnLab reports that the group’s targets are primarily in the Asia-Pacific region, which accounts for 50% of their activity. Key targets include countries in Southeast and East Asia, such as Japan, Thailand, and Korea. In Europe, the group focuses on countries in Western Europe and the Baltic Sea region, including the UK, Italy, and Lithuania. In North America, they have specifically targeted Connecticut in the United States.
BlackNevas uses a hybrid AES + RSA encryption scheme. Files are encrypted with a randomly generated AES key, which is then itself encrypted using an RSA public key and appended to the encrypted file. As AhnLab notes, “unless the RSA algorithm itself is broken, there is no possibility of decryption.” This leaves victims with no chance of restoring their files without the attackers’ cooperation.
Encrypted files are marked with the extension .-encrypted, though some are renamed with a trial-recovery prefix (e.g., for .doc, .pdf, .jpg) to demonstrate that decryption is possible if victims comply.
Unlike some advanced ransomware, BlackNevas does not rely on sophisticated obfuscation or anti-analysis tricks. Instead, it supports multiple execution arguments such as /fast, /full, /stealth, and /shdwn, giving operators flexibility in tailoring attacks. For example, the /fast mode encrypts only 1% of file contents for speed, while /full ensures total encryption.
After encryption, victims are presented with a ransom note named how_to_decrypt.txt, created in every accessible folder. The note claims the attackers are professionals in both file encryption and industrial espionage, warning that “if a decryption negotiation is not made within 7 days,” the victim’s data will be leaked, sold, or auctioned.
Interestingly, unlike other ransomware families that modify desktop wallpapers, BlackNevas leaves the background unchanged, relying entirely on ransom notes and data-leak threats to pressure victims.
The combination of targeted attacks on critical infrastructure, impossible-to-break encryption, and public data-leak threats makes BlackNevas one of the most dangerous ransomware groups active today. AhnLab concludes: “The number of companies suffering ransomware attacks through the DLS of the BlackNevas group is on the rise… unless the RSA algorithm itself is broken, there is no possibility of decryption.”
Donate