Skip to content
Ransomware group

blackfield

BlackField is a ransomware and extortion threat actor that emerged publicly by at least October 2023 and was later observed claiming ransomware intrusions in 2026.

Profile source: Mallory opens in a new tab

blackfield

Family profile

BlackField is a ransomware and extortion threat actor that emerged publicly by at least October 2023 and was later observed claiming ransomware intrusions in 2026. The actor has presented itself under the names BlackField and blackfield. Available reporting indicates activity spanning both politically themed data-leak claims and financially motivated ransomware operations, but the extent to which these represent a single cohesive group, a rebrand, or opportunistic use of the name is not fully established.

BlackField is known for double-extortion behavior: claiming to encrypt systems while also stealing data and threatening publication or sale of the exfiltrated material unless a ransom is paid. In reported incidents, the group publicly advertised stolen datasets, set negotiation deadlines, and offered paid delays to postpone publication, reflecting a pressure-based extortion model common to modern ransomware operations. Claimed victim data categories have included employee, financial, procurement, manufacturing, legal, and IT-related records.

A prominent attributed operation targeted Nidec Chaun Choung Technology Corporation, a Taiwanese subsidiary of Japan-based Nidec Corporation, in June 2026. In that incident, BlackField claimed to have compromised the subsidiary’s IT environment, stolen a large volume of corporate data, and demanded a multimillion-dollar ransom while also offering the data for sale. Public reporting on that case indicates emergency shutdown of affected servers and networks by the victim and investigation into possible operational and information-security impact. Reported tactics associated with the incident included data encrypted for impact, exfiltration over a command-and-control channel, use of valid accounts, and inhibiting system recovery.

Additional 2026 victim claims attributed to BlackField include organizations in Taiwan and Brazil, indicating opportunistic cross-sector and cross-region targeting rather than a narrowly specialized victimology. Observed victims include manufacturing-related entities, but current information is insufficient to conclude that the group focuses exclusively on any single industry.

Separate reporting from October 2023 linked the name blackfield to a claim involving possession of personal data belonging to Israeli military and security personnel during the Israel-Hamas conflict. That activity aligns more closely with hacktivist or politically motivated leak operations than with conventional ransomware monetization. Because corroboration is limited, the relationship between that 2023 activity and the later ransomware operations remains unclear.

BlackField should therefore be tracked primarily as an emerging ransomware extortion actor, with possible overlap or branding ambiguity involving earlier politically charged data-leak claims. High-confidence characteristics include public victim shaming, alleged large-scale data theft, ransom-based coercion, sale offers for stolen information, and deadline-driven double extortion.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.