Skip to content
Ransomware group

BlackShrantac

BlackShrantac is a data-theft extortion group active since at least September 2025.

Profile source: Mallory opens in a new tab

BlackShrantac

Family profile

BlackShrantac is a data-theft extortion group active since at least September 2025. Rather than emphasizing file encryption, the group is primarily associated with stealing large volumes of corporate data and coercing victims into paying to prevent public disclosure. It has been tracked as a ransomware-related actor because it operates through a leak-site-driven extortion model similar to other contemporary ransomware crews.

BlackShrantac appears to target organizations opportunistically across multiple sectors and geographies, including victims in North America, Europe, Asia, the Middle East, and Africa. Reported victimology indicates a preference for enterprises holding substantial quantities of sensitive business or personal data, with observed cases affecting manufacturing, technology, transportation, cybersecurity, and other commercial organizations. Activity against South Korean entities and other Asian targets has also been noted.

Observed tradecraft includes phishing with malicious attachments and supply-chain compromise for initial access. Reported post-compromise behavior includes use of command and scripting interpreters such as PowerShell, Windows command shell, and Bash; persistence via scheduled tasks and startup or run-key modifications; and large-scale data exfiltration as the core monetization mechanism. Insecure remote access exposure has also been cited as a possible intrusion vector. A notable behavioral hallmark is anomalous outbound transfer of large data volumes preceding extortion.

BlackShrantac is commonly referenced under the names BlackShrantac, Black Shrantac, blackshrantac, and black_shrantac. It emerged during a period of rapid proliferation of new ransomware and extortion brands in 2025 and has been listed alongside other active leak-site operators such as Qilin, RansomHouse, Akira, Clop, DragonForce, INC, NightSpire, PEAR, and Devman. High-confidence reporting supports its characterization as an extortion-focused cybercriminal group with global reach and a primary emphasis on data theft and public-leak pressure rather than classic encryption-led ransomware operations.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Tox

1 total
  • EFE1A6E5C8AF91FB1EA3A170823F5E69A85F866CF33A4370EC467474916941042E29C2EA4930

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.