Breach Monitoring News Feed

Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.

Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting victim files and threatening public release of stolen data via a Tor-based leak site. It primarily targets organizations rather than individuals, with confirmed attacks in sectors including manufacturing, retail, technology, and local government. Encrypted files are appended with the .BlackHunt extension, and ransom notes (Restore_Data.txt) direct victims to Tor portals for negotiation. The ransomware is capable of terminating processes, deleting shadow copies, and disabling recovery functions to maximize impact. Initial access methods include exploitation of vulnerable RDP services and the use of compromised credentials from initial access brokers. While its activity level is smaller compared to major RaaS families, its leak site has featured victims from multiple countries, suggesting an international reach.

BlackMatter emerged in July 2021 and quickly positioned itself as the successor to DarkSide (responsible for the Colonial Pipeline attack). It operated as a Ransomware-as-a-Service (RaaS), adopting a double-extortion model—encrypting systems while exfiltrating sensitive data for publication on its leak site. BlackMatter targeted Windows and Linux/VMware ESXi systems, using ChaCha20 for file encryption with RSA-1024 public key protection. The malware appended a custom extension per victim and dropped ransom notes (README.txt) with Tor portal links. The group focused on large organizations in industries such as critical infrastructure, agriculture, technology, and manufacturing, but claimed to avoid hospitals, nonprofits, and government entities (though some reports contradict this). Initial access methods included exploitation of known vulnerabilities, stolen credentials from brokers, and phishing campaigns. BlackMatter ceased operations in November 2021 after reported pressure from law enforcement and possible member arrests.

Blackout surfaced in February 2024 and operates using a double-extortion model. Targets span sectors like healthcare, mining, telecommunications, and food & beverage—in countries including France, Canada, Mexico, Croatia, and Spain. This ransomware employs conventional cryptographic techniques (details unspecified), appends a custom extension to encrypted files, and presents victims with ransom demands via a Tor-based leak/negotiation site. The operation runs as a crypto-ransomware and data broker, combining extortion with data publication threats.

BlackShadow is a state-aligned cybercrime group reportedly linked to Iran’s cyber operations, first identified in late 2020. Their operations blend data exfiltration with ransom threats, notably targeting Israeli organizations such as Cyberserve—a web hosting provider—and leaking data to inflict reputational damage. Victims included entities like Atraf (an LGBTQ dating app), tour booking services, and museums, reflecting political or ideological motivations over financial gain. Despite carrying out extortion, there is no evidence that BlackShadow employs typical encryption-based ransomware mechanics; instead, they leverage stolen data and the threat of public exposure.

aka black shrantac

BlackSnake is a Ransomware-as-a-Service (RaaS) operation that first appeared in August 2022, when its operators began recruiting affiliates on underground forums with an unusually low revenue share of 15%. It primarily targets home users rather than large enterprises and does not maintain a public leak site. Built on the Chaos ransomware code base, it features both file encryption and a cryptocurrency clipper module to steal funds from victims. The ransomware is developed in .NET and includes safeguards to avoid execution in Turkish or Azerbaijani environments, suggesting geographic targeting preferences. Infections result in encrypted files and ransom notes instructing victims to make contact via email for payment negotiations. The group’s operational scale and visibility remain limited compared to major RaaS families.

BlueSky ransomware first emerged in July 2022 and is characterized by aggressive, high-speed file encryption using a multithreaded architecture. Written with code elements reminiscent of Conti v3, it encrypts files using ChaCha20 secured with RSA‑4096, and further employs Curve25519 for key agreement. Delivery commonly comes through trojanized downloads from risky websites (e.g., “crack” or “keygen” hosts) or phishing emails. The malware also spreads laterally via SMB and evades detection by hiding threads using NtSetInformationThread. Once deployed, it renames encrypted files with the .bluesky extension and drops ransom notes in both HTML and TXT formats. Unlike double-extortion threats, BlueSky does not operate a public leak site and appears focused solely on disrupting file access. Observed activity spans large enterprises to SMBs, but the volume of attacks remained relatively low through early 2023.