Black Nevas is a ransomware threat group that emerged in 2024 and has been publicly associated with extortion activity against organizations across multiple sectors and geographies. It is commonly referenced under the names Black Nevas, blacknevas, and black_nevas. The group has been observed claiming victims in public leak-site style disclosures, indicating a financially motivated ransomware and data-extortion operating model. Available reporting places Black Nevas among the newer ransomware actors that became active during the broader expansion and fragmentation of the ransomware ecosystem in 2024 and 2025. It has been listed alongside other active extortion groups targeting enterprises internationally, including organizations in Asia and the Middle East. Publicly attributed victim claims indicate activity against corporate targets rather than a narrowly specialized vertical. High-confidence open reporting on Black Nevas remains limited. Based on currently available information, it is best characterized as a ransomware/extortion group rather than a clearly attributed nation-state actor. There is insufficient corroborated public detail to confidently describe its malware lineage, initial access preferences, affiliate structure, or distinctive tradecraft beyond its role in ransomware victimization and public naming of victims. No reliable public evidence in the available material supports a firm attribution to a specific country, intelligence service, or larger umbrella operation. Black Nevas should therefore be tracked as an emerging ransomware actor with public victim-claim activity and apparent opportunistic targeting across regions, including reported attacks affecting organizations in South Korea-related reporting and Saudi Arabia-based entities.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against L’azurde, a jewelry manufacturer and retailer in Saudi Arabia.
Black Nevas is a ransomware group that has been active in attacking Korean companies in 2025.
Named as a new ransomware variant/gang emerging in 2024 and associated with victim claims posted in August 2024.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.