Skip to main content

Ransomware victim disclosure

All victims

The company MST (Sanko Makina and ASKO Holding)

Claimed by Blacknevas · listed 3 months ago

2m
Age
since listed · data leaked

Status timeline

  1. ListedApr 30, 2026
  2. Data leakeddate unknown

At a glance

Status
Data leaked
Country
Türkiye
Listed on leak site
Apr 30, 2026

About the victim

AI dossier — public-source company profile

ASKO Holding is a Turkish holding company rooted in the Konukoğlu family's commercial tradition, operating across construction machinery, agricultural machinery, energy, and technology sectors through more than 8 subsidiaries. Its subsidiary MST (operating under the Sanko Makina brand) designs and manufactures armored backhoe loaders and telehandlers supplied to the Turkish Armed Forces, Gendarmerie, and Police for military engineering and counter-terrorism operations. The group employs over 1,800 people and exports to more than 45 countries.

Industry
Defence & Military Engineering Equipment Manufacturing
Address
Turkey (Gaziantep region, associated with Konukoğlu family / Sanko Group); full street address not stated in available sources
Employees
1800

Attack summary

Severity: critical — The victim is a confirmed supplier to Turkish national defence forces (TSK, Gendarmerie, Police) working with the Presidency of Defence Industries (SSB); seven months of exfiltrated data from a defence-sector manufacturer constitutes a regulated, nationally sensitive data exposure with potential implications for military procurement, operational security, and state defence programmes.

The group claims to have exfiltrated a significant volume of data over seven months and subsequently encrypted the stolen files, storing them in secure storage; a ransom of 15 bitcoins is demanded for their release.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • Exfiltrated corporate files (volume unspecified)
  • Encrypted copies of stolen data
  • Potential defence/military contract documentation
  • Operational and supplier records

What the group claims

The company MST (Sanko Makina and ASKO Holding) has direct and close ties to the Turkish defense industry. It serves as an important supplier of specialized military engineering equipment for Turkish security forces. Here is exactly how the company is connected to the defense sector: 1. Production of Armored Construction Equipment: Ordinary construction machinery is vulnerable in combat zones. MST develops and manufactures armored backhoe loaders and telehandlers specifically designed for military needs. The cabins, engine compartments, and vital components of these machines are protected by armor capable of withstanding small arms fire and improvised explosive device (IED) blasts. 2. Supplies for the Army and Police: The primary customers for MST's military products are the Turkish Armed Forces (TSK), the General Command of the Gendarmerie, and the General Directorate of Security (Police). 3. Specific Applications: MST's military equipment is actively used by engineering troops and special forces for the following tasks: • Digging trenches and building defensive berms on the front lines; • Dismantling barricades, destroying militant shelters, and clearing streets during anti-terrorist operations (such equipment was heavily used by Turkish security forces during urban operations in the southeastern part of the country); • Safely neutralizing explosive devices on roads; • Constructing and fortifying military outposts and bases. 4. Integration into State Defense Programs: MST works in close cooperation with the Presidency of Defense Industries (SSB) of Turkey. The production of indigenous armored engineering equipment is part of Turkey's state strategy for import substitution and ensuring the national army's independence from foreign suppliers. 5. Participation in Defense Exhibitions: The MST brand regularly showcases its military developments at major international arms exhibitions, such as IDEF (International Defence Industry Fair), offering its armored special equipment not only to the domestic market but also for export to allied nations. Information for our partners: > Over the course of seven months, a significant volume of data was stolen. > The obtained files were encrypted and stored in secure storage. > The stated starting price is 15 bitcoins.

Sources

Source

Indexed 3 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About blacknevas

Blacknevas is an emerging ransomware group that was first observed in August 2025, appearing to be primarily financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their diverse geographic targeting suggests either a distributed operation or broad opportunistic approach. Based on available victim data, Blacknevas has compromised at least 23 organizations across multiple countries, with the United States, Spain, India, Japan, and Thailand being the most frequently targeted nations, while their sector focus spans technology, manufacturing, energy, and consumer services industries, suggesting they employ opportunistic rather than sector-specific targeting methodologies. The group's attack vectors, specific tools, and whether they operate as a Ransomware-as-a-Service model or maintain independent operations have not been publicly documented by major cybersecurity firms or government agencies. Due to the group's recent emergence in August 2025, there is insufficient public reporting from established sources like CISA, FBI, or major threat intelligence providers to detail notable campaigns or significant attacks beyond the confirmed victim count. Given the recency of their first observed activity, Blacknevas appears to remain active as of late 2025, though comprehensive threat intelligence profiles from authoritative sources have yet to be published. The group has been linked to 36 public disclosures across our corpus. First observed on a leak site on August 6, 2025; most recent post July 14, 2026. The operation is currently active.

Also tracked as: black nevas.

Timeline of this disclosure

  • April 30, 2026The company MST (Sanko Makina and ASKO Holding) listed by blacknevason the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Manufacturing sector, which has 3,681 disclosures indexed across all operators we track. Geographically, The company MST (Sanko Makina and ASKO Holding) is reported in Türkiye, a country with 31 ransomware disclosures in our corpus.

If your organisation is affected

A listing by blacknevas means The company MST (Sanko Makina and ASKO Holding) appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Monitor for the data appearing on blacknevas's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.