Operator dossier

blacknevas (also tracked as black nevas) is a ransomware operator currently active on public leak sites. Darkfield has indexed 31 public victims claimed by this operator between August 6, 2025 and April 30, 2026. Blacknevas is an emerging ransomware group that was first observed in August 2025, appearing to be primarily financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their diverse geographic targeting suggests either a distributed operation or broad opportunistic approach. Based on available victim data, Blacknevas has compromised at least 23 organizations across multiple countries, with the United States, Spain, India, Japan, and Thailand being the most frequently targeted nations, while their sector focus spans technology, manufacturing, energy, and consumer services industries, suggesting they employ opportunistic rather than sector-specific targeting methodologies. The group's attack vectors, specific tools, and whether they operate as a Ransomware-as-a-Service model or maintain independent operations have not been publicly documented by major cybersecurity firms or government agencies. Due to the group's recent emergence in August 2025, there is insufficient public reporting from established sources like CISA, FBI, or major threat intelligence providers to detail notable campaigns or significant attacks beyond the confirmed victim count. Given the recency of their first observed activity, Blacknevas appears to remain active as of late 2025, though comprehensive threat intelligence profiles from authoritative sources have yet to be published.

Most-targeted sectors

Not Found5 victims
Technology5 victims
Manufacturing4 victims
Energy2 victims
Consumer Services2 victims
Business Services2 victims

Most-affected countries

US6 victims
ES3 victims
IN2 victims
JP2 victims
TH

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

blacknevas

aka black nevas · 31 victims indexed · first seen 10 months ago · last activity 20 days ago

Victims indexed

#137 of 348 tracked operators

Active period

Aug 2025 → Apr 2026

Countries hit

top US · 6

At a glance

Status: active
Aliases: black nevas
First seen: 10 months ago
Last activity: 20 days ago
Primary sector: Not Found · 5 hits

About

Blacknevas is an emerging ransomware group that was first observed in August 2025, appearing to be primarily financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their diverse geographic targeting suggests either a distributed operation or broad opportunistic approach. Based on available victim data, Blacknevas has compromised at least 23 organizations across multiple countries, with the United States, Spain, India, Japan, and Thailand being the most frequently targeted nations, while their sector focus spans technology, manufacturing, energy, and consumer services industries, suggesting they employ opportunistic rather than sector-specific targeting methodologies. The group's attack vectors, specific tools, and whether they operate as a Ransomware-as-a-Service model or maintain independent operations have not been publicly documented by major cybersecurity firms or government agencies. Due to the group's recent emergence in August 2025, there is insufficient public reporting from established sources like CISA, FBI, or major threat intelligence providers to detail notable campaigns or significant attacks beyond the confirmed victim count. Given the recency of their first observed activity, Blacknevas appears to remain active as of late 2025, though comprehensive threat intelligence profiles from authoritative sources have yet to be published.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

4 months

2025-08-01T00:00:00+00:002026-01-01T00:00:00+00:00

Top countries

🇺🇸 US

🇪🇸 ES

🇮🇳 IN

🇯🇵 JP

🇹🇭 TH

🇬🇧 GB

🇧🇭 BH

🇦🇷 AR

US dossier →ES dossier →IN dossier →JP dossier →

Top sectors

Not Found

Technology

Manufacturing

Energy

Consumer Services

Business Services

Education

Construction

Not Found dossier →Technology dossier →Manufacturing dossier →Energy dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 20 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.