Marlink has identified Black Shrantac as a rapidly evolving ransomware group that has been active since September 2025, highlighting a significant shift in how modern cybercriminals conduct attacks. The group is increasingly relying on legitimate administrative tools and existing enterprise infrastructure to infiltrate networks, evade detection, and execute high-impact operations.
According to the analysis, Black Shrantac primarily uses a double extortion model, in which attackers first steal sensitive data before encrypting systems. Victims are then pressured to pay not only for decryption but also to prevent public exposure of stolen information. The group maintains a leak site on the Tor network, where it publishes victim details and partial data to increase pressure during negotiations.
A key aspect of Black Shrantac’s operations is its ability to exploit critical vulnerabilities, including CVE-2024-3400, a severe flaw affecting Palo Alto Networks PAN-OS GlobalProtect devices. By targeting unpatched systems at the network perimeter, the attackers gain initial access and then implant malicious software disguised as legitimate updates. This tactic effectively turns trusted infrastructure into a delivery mechanism for compromise.
Once inside a network, the group adopts a “living-off-the-land” approach, using widely available tools such as remote access software and system utilities to blend into normal administrative activity. This reduces the likelihood of detection, as the tools themselves are commonly used in enterprise environments. The attackers also establish multiple persistence mechanisms, including creating new domain accounts and deploying legitimate remote management applications to maintain long-term access.
Marlink’s findings indicate that Black Shrantac conducts extensive reconnaissance using lightweight network scanning tools and moves laterally across systems using protocols such as Remote Desktop Protocol (RDP) and SMB-based utilities. The group also leverages built-in Windows tools to extract credentials and escalate privileges without triggering traditional security alerts.
Before launching ransomware, the attackers systematically disable security controls, including endpoint protection systems, and manipulate system logs to limit forensic visibility. The final stage involves deploying multiple encryption payloads simultaneously to maximize disruption. The ransomware uses a combination of AES-256 and RSA encryption, while ransom notes are written in a business-like tone, offering proof-of-decryption to build credibility. Importantly, the report emphasizes that paying a ransom does not guarantee that stolen data will remain private, underscoring the long-term risks of such attacks. Black Shrantac’s opportunistic targeting across industries including finance, manufacturing, and the public sector demonstrates its broad operational scope.
Marlink concludes that the group’s disciplined use of legitimate tools and structured attack methodology reflects a high level of maturity. As ransomware tactics continue to evolve, organizations are being urged to strengthen foundational security measures such as patching, identity management, network segmentation, and backup integrity to reduce exposure and improve resilience against such threats.
Recommended Cyber Technology News :
- Beaten Zone Secures AUD 17M Defence Fundraise
- Bridge Data Centres Replaces Tenant Amid Nvidia Chip Probe
- ZeroFox Highlights AI-Driven Threat Intelligence
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
