Breach Monitoring News Feed

BianLian ransomware first appeared in June 2022 as a Go-based crypto-locker but pivoted in January 2023 to a pure data-extortion model after security firms released free decryptors for early versions. In its initial phase, it used AES-256 + RSA-2048 hybrid encryption, appending the .bianlian extension to files and dropping ransom notes with Tor links. The group targets a broad set of industries—healthcare, education, government, critical manufacturing, and professional services—with confirmed victims in the U.S., U.K., Australia, and Canada. Initial access is often obtained via compromised RDP credentials, exploitation of vulnerabilities in internet-facing systems, or use of stolen VPN credentials from infostealers. Post-compromise, BianLian conducts network reconnaissance, credential harvesting, and exfiltration of sensitive files before issuing extortion threats on its leak site. The group has claimed responsibility for dozens of breaches, with ransom demands often in the $100k–$2 million USD range.

BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strategy—encrypting victims’ files and simultaneously threatening to leak stolen data if the ransom isn’t paid. Notably, it appends the .PUUUK extension to encrypted files and drops a readme.txt ransom note outlining the extortion demands. The note offers a free decryption of two files as proof of capability and emphasizes that only authorized company personnel (e.g., top management) should engage. BIDON specifically targets corporate and enterprise organizations, not home users, and warns victims not to involve law enforcement or third-party recovery firms. It represents a shift toward more aggressive extortion tactics within the Monti lineage.

BitRansomware (also known as DCryptSoft or ReadMe) surfaced in November 2020, primarily as a widespread cryptolocker targeting end users in the APAC region, especially universities in Japan and Hong Kong. The malware was delivered via a malspam campaign powered by the Phorpiex botnet, distributing deceptive ZIP attachments with a screensaver-like .scr payload. Once activated, BitRansomware encrypts files and appends the .ReadMe extension—leaving ransom notes to guide victims toward payment. The campaign peaked sharply around November 4, 2020, with over 28,000 email instances detected in a single day, as seen by VMware NSX telemetry.

Hellcome Bjorkanism Bjorka emerged as a prominent data-extortion actor and hacktivist initially active in 2022, targeting Indonesian institutions with massive data leaks—including voter records, police data, and internal telecom and utility datasets. After going quiet in 2023, the actor resurfaced in early 2025, now positioning under the name Babuk2, leveraging legacy branding from the Babuk ransomware group to amplify perceived credibility and fuel data extortion operations. Notably, Bjorka has not been linked to deploying true ransomware payloads; rather, the strategy revolves around reputational leverage via data leaks and selecting branding for psychological impact.

BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct derivative of the Trigona ransomware family and continues the lineage's focus on extortion over public shaming. BlackNevas operators support a double-extortion model, encrypting files using AES-256 with RSA-4112-protected keys, and appending the .-encrypted or .ENCRYPTED file extension to affected files. Hybrid payloads are available for Windows, Linux, NAS, and VMware ESXi platforms. While BlackNevas does not host its own data leak site, it reportedly collaborates with other ransomware groups for data publication — known partners include Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, and Mad Liberator. The group has predominantly targeted large enterprises in sectors such as finance, telecommunications, manufacturing, healthcare, and legal. Initial access is commonly achieved via phishing or exploitation of vulnerabilities, with lateral movement facilitated through SMB enumeration and optional LAN-wide propagation.

aka black shrantac

BlackSuit first appeared in May 2023 and is a confirmed rebrand or direct evolution of Royal Ransomware. It operates as a Ransomware-as-a-Service (RaaS), employing a double-extortion model—encrypting files and stealing sensitive data for leak threats. BlackSuit targets Windows and Linux systems, including VMware ESXi environments, using the .blacksuit extension for encrypted files. Technical analysis shows strong code overlaps (≈98%) with Royal, itself believed to be run by former Conti affiliates. Victims span healthcare, critical manufacturing, education, and government sectors, with notable incidents affecting public health systems in the U.S. Initial access vectors include phishing, exploitation of public-facing applications (e.g., Citrix and Fortinet vulnerabilities), and compromised credentials purchased from initial access brokers. Ransom notes direct victims to Tor-based negotiation portals.

BlackBasta emerged in April 2022 and is widely assessed to be operated by former Conti group members. It functions as a Ransomware-as-a-Service (RaaS), leveraging a double-extortion model—encrypting data and threatening public leaks on its Tor-based site. The malware supports Windows and Linux/VMware ESXi environments, using ChaCha20 for encryption with RSA-4096 for key protection. Encrypted files are appended with the .basta extension, and a ransom note (readme.txt) provides negotiation instructions. BlackBasta has hit victims across manufacturing, construction, healthcare, government, and critical infrastructure sectors, with confirmed targets in the U.S., Canada, U.K., Australia, and New Zealand. Initial access vectors include exploitation of known vulnerabilities (e.g., QakBot infections, ZeroLogon, PrintNightmare), phishing, and purchasing credentials from Initial Access Brokers. By mid-2024, BlackBasta was among the top five most active ransomware groups worldwide.

Black Berserk is a relatively unsophisticated ransomware strain analyzed in late 2023. It operates under a single‑extortion model—encrypting files and demanding payment, with no documented abilities or threats for data exfiltration or public leaks. In observed cases, the malware appends the .Black extension to encrypted files (e.g., 1.jpg.Black) and leaves a ransom note titled Black_Recover.txt, which urges victims to make contact to negotiate payment or test decryption with benign files. The infection method appears opportunistic, delivered via isolated incidents or broad malware distribution—not linked to targeted campaigns or infrastructure. There is no evidence of it functioning as a RaaS operation or targeting any specific victim profiles or sectors.

BlackBit ransomware was first observed in August 2022 and is a .NET-based strain that closely mimics the design and functionality of LockBit 3.0, indicating either a fork of LockBit’s leaked builder or deliberate imitation. It uses a double-extortion model, encrypting victim files and threatening to leak stolen data via a Tor-based site. BlackBit employs AES symmetric encryption for file contents and RSA asymmetric encryption for key protection, appending the .BlackBit extension to affected files. The malware also includes features for terminating processes, deleting volume shadow copies, and disabling recovery mechanisms. Initial access vectors are not comprehensively documented but are consistent with phishing, exploitation of vulnerable public-facing services, and the use of compromised credentials. Victims have been identified across various sectors, including technology, manufacturing, and professional services, though its activity level has been far lower than LockBit’s.

BlackByte ransomware was first observed in July 2021 and operates as a Ransomware-as-a-Service (RaaS). It uses a double-extortion model—encrypting victim files while exfiltrating sensitive data for publication on its Tor-based leak site. The ransomware is written in C# and uses AES-256 for file encryption, with keys protected by RSA public-key encryption. Early variants exploited the ProxyShell vulnerability in Microsoft Exchange servers for initial access, but later campaigns have leveraged phishing, malicious attachments, and vulnerable internet-facing systems. BlackByte appends extensions such as .blackbyte or .blackbyte2.0 to encrypted files and leaves ransom notes (BlackByte_restoremyfiles.txt) instructing victims to contact them via Tor. The group has targeted organizations worldwide, including critical infrastructure, manufacturing, and government sectors. In February 2022, the FBI and USSS released a joint advisory warning about BlackByte’s impact and offering detection signatures.