Operator dossier

Blacktor is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 4 public victims claimed by this operator between December 30, 2021. Blacktor is a relatively obscure ransomware group that emerged in December 2021 with apparent financial motivations, having targeted a limited number of victims since its inception. The group's origin and potential state affiliations remain unclear due to limited public reporting from major cybersecurity firms and government agencies, though their operational structure appears to be that of a small independent operation rather than a large-scale Ransomware-as-a-Service model. Technical details regarding Blacktor's attack methodology, including their preferred initial access vectors, encryption techniques, and whether they employ double or triple extortion tactics, have not been extensively documented in public threat intelligence reports from established sources such as CISA, FBI, or major security research organizations. With only four known victims documented since their emergence, Blacktor has not achieved the notoriety of major ransomware families and lacks publicly reported high-profile campaigns or significant law enforcement actions. The group's current operational status remains uncertain due to the limited visibility into their activities and the absence of recent public reporting on their campaigns.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Blacktor

4 victims indexed · first seen 4 years ago · last activity 4 years ago

Victims indexed

#260 of 348 tracked operators

<1m

Active period

Dec 2021 → Dec 2021

—

Countries hit

At a glance

Status: inactive
First seen: 4 years ago
Last activity: 4 years ago
Onion sites: 2 known endpoints

About

Blacktor is a relatively obscure ransomware group that emerged in December 2021 with apparent financial motivations, having targeted a limited number of victims since its inception. The group's origin and potential state affiliations remain unclear due to limited public reporting from major cybersecurity firms and government agencies, though their operational structure appears to be that of a small independent operation rather than a large-scale Ransomware-as-a-Service model. Technical details regarding Blacktor's attack methodology, including their preferred initial access vectors, encryption techniques, and whether they employ double or triple extortion tactics, have not been extensively documented in public threat intelligence reports from established sources such as CISA, FBI, or major security research organizations. With only four known victims documented since their emergence, Blacktor has not achieved the notoriety of major ransomware families and lacks publicly reported high-profile campaigns or significant law enforcement actions. The group's current operational status remains uncertain due to the limited visibility into their activities and the absence of recent public reporting on their campaigns.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/blacktor

Timeline

1 months

2021-12-01T00:00:00+00:002021-12-01T00:00:00+00:00

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion
http://bl@ckt0r:bl@ckt0r@bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion/0x00/data-breach.html

Source

Updated 4 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.