Black Nevas is a ransomware threat group that emerged in 2024 and has been publicly associated with extortion activity against organizations across multiple sectors and geographies. It is commonly referenced under the names Black Nevas, blacknevas, and black_nevas. The group has been observed claiming victims in public leak-site style disclosures, indicating a financially motivated ransomware and data-extortion operating model.
Available reporting places Black Nevas among the newer ransomware actors that became active during the broader expansion and fragmentation of the ransomware ecosystem in 2024 and 2025. It has been listed alongside other active extortion groups targeting enterprises internationally, including organizations in Asia and the Middle East. Publicly attributed victim claims indicate activity against corporate targets rather than a narrowly specialized vertical.
High-confidence open reporting on Black Nevas remains limited. Based on currently available information, it is best characterized as a ransomware/extortion group rather than a clearly attributed nation-state actor. There is insufficient corroborated public detail to confidently describe its malware lineage, initial access preferences, affiliate structure, or distinctive tradecraft beyond its role in ransomware victimization and public naming of victims. No reliable public evidence in the available material supports a firm attribution to a specific country, intelligence service, or larger umbrella operation.
Black Nevas should therefore be tracked as an emerging ransomware actor with public victim-claim activity and apparent opportunistic targeting across regions, including reported attacks affecting organizations in South Korea-related reporting and Saudi Arabia-based entities.