BlackShrantac is a data-theft extortion group active since at least September 2025. Rather than emphasizing file encryption, the group is primarily associated with stealing large volumes of corporate data and coercing victims into paying to prevent public disclosure. It has been tracked as a ransomware-related actor because it operates through a leak-site-driven extortion model similar to other contemporary ransomware crews. BlackShrantac appears to target organizations opportunistically across multiple sectors and geographies, including victims in North America, Europe, Asia, the Middle East, and Africa. Reported victimology indicates a preference for enterprises holding substantial quantities of sensitive business or personal data, with observed cases affecting manufacturing, technology, transportation, cybersecurity, and other commercial organizations. Activity against South Korean entities and other Asian targets has also been noted. Observed tradecraft includes phishing with malicious attachments and supply-chain compromise for initial access. Reported post-compromise behavior includes use of command and scripting interpreters such as PowerShell, Windows command shell, and Bash; persistence via scheduled tasks and startup or run-key modifications; and large-scale data exfiltration as the core monetization mechanism. Insecure remote access exposure has also been cited as a possible intrusion vector. A notable behavioral hallmark is anomalous outbound transfer of large data volumes preceding extortion. BlackShrantac is commonly referenced under the names BlackShrantac, Black Shrantac, blackshrantac, and black_shrantac. It emerged during a period of rapid proliferation of new ransomware and extortion brands in 2025 and has been listed alongside other active leak-site operators such as Qilin, RansomHouse, Akira, Clop, DragonForce, INC, NightSpire, PEAR, and Devman. High-confidence reporting supports its characterization as an extortion-focused cybercriminal group with global reach and a primary emphasis on data theft and public-leak pressure rather than classic encryption-led ransomware operations.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group highlighted for a manufacturing-sector attack in Japan that resulted in a large data breach.
Data-theft extortion group that focuses on stealing large volumes of data and demanding payment to prevent public release rather than encrypting victim files.
BlackShrantac is a ransomware group targeting technology and telematics providers in Australia, exfiltrating company data for extortion.
BlackShrantac is mentioned as an active ransomware group in November 2025.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.