BlackNevas (also known as Trial Recovery or Trial_recovery) is a ransomware group active since September 2024, a direct derivative of Trigona ransomware code with a possible additional technical ancestor in the CryLock family (unconfirmed). Its threat level according to Halcyon AI is 7.3/10.
It operates without a RaaS model, with payloads for Windows (32/64-bit), Linux (32/64-bit), ARM, NAS and VMware ESXi. It does not manage its own Data Leak Site — leak pressure is delegated through a network of six partners: Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, Mad Liberator and MADDLL32, with data broker HumOR.
Extortion modalities go far beyond “pay or we publish”: they include data auctions, doxxing, negotiation leaks, legal assistance and victim client communication. Standard deadline: 7 days.
Attack Summary
| Phase | Description |
|---|---|
| Initial Access | CVE-2021-40539 (ManageEngine, CVSS 9.8) or RDP/MSSQL brute force or spear-phishing |
| Reconnaissance | Drive enumeration A–Z, network share discovery (SMB) |
| Credential Access | DCSync + Mimikatz LSASS + WDigest registry + Veeam credentials via PostgreSQL |
| RAT Installation | MeshAgent (wvspbind.exe), AnyDesk, AteraAgent, ScreenConnect, TeamViewer, LogMeIn |
| Lateral Movement | SMB (/-lan), PSEXEC/PAEXEC, Bitvise SSH for ESXi |
| Exfiltration | Rclone as system.exe → MEGA + PCloud |
| Persistence | Registry Run Keys, sys/sys1 accounts, MeshAgent/AnyDesk auto-start services |
| Impact | Encryption + Shadow Copy deletion + Disk Wipe (/wipe) + self-deletion /delete |
| Extortion | 7 days, multi-million, 6 leak partners |
Initial Access
The most common vector is exploitation of CVE-2021-40539 — a REST API authentication bypass with RCE in Zoho ManageEngine ADSelfService Plus (CVSS 9.8, on the CISA KEV catalogue) that requires no prior credentials. Documented alternatives: brute force against exposed MSSQL and RDP, and spear-phishing campaigns.
Once inside, the escalation phase uses CVE-2024-37085: by creating the domain group ESX Admins (via net.exe /domain), any member gains full administrator privileges on VMware ESXi hosts without additional authentication.
Credential Access
What distinguishes BlackNevas at this phase is the variety of techniques combined:
DCSync against Domain Controllers to extract credential hashes (T1003.006)
Mimikatz for dumping from LSASS in memory (T1003.001)
WDigest registry modification (UseLogonCredential=1) to store credentials in plaintext
Veeam Backup credential extraction directly from the PostgreSQL database
️ Remote access tools (no own RAT)
BlackNevas does not deploy its own RAT. Instead it abuses legitimate RMM tools that go unnoticed in many corporate environments:
MeshAgent — deployed as service wvspbind.exe, hidden from Control Panel via registry modification
AteraAgent — installed via MSI, persists as auto-start service
SplashTop, ScreenConnect, AnyDesk, LogMeIn, TeamViewer
No own post-encryption C2. The C2 infrastructure observed during active intrusions is based in France.
Exfiltration
Data theft before encryption to sustain double extortion. Documented method: Rclone (frequently renamed as system.exe) syncing to MEGA and PCloud. The focus is on shared drives and file servers with sensitive corporate data.
Persistence
Registry Run Keys pointing to non-standard paths (T1547.001)
Payload configuration embedded in the binary’s resource section (CFGS)
Local sys or sys1 accounts added to local Administrators and Remote Desktop Users (T1136.001)
MeshAgent and AnyDesk installed as auto-start services
Encryption
AES-256-OFB with a unique IV per file. The 32-byte master key is stored in the file footer, encrypted first with AES-CBC and then with RSA-4112. The ESXi variant specifically targets .vmdk and .vmsn files in /vmfs.
trial-recovery.[random].[random]-ENCRYPTED
trial-recovery.[random].[random]-encrypted
trial-recovery.[random].[random]-erased
Ransom note: how_to_decrypt.txt.
Impact and Destruction
The impact phase is deliberately destructive beyond encryption:
Shadow Copy deletion — removes all restore points before encryption
Disk Wipe — /wipe and /wipeonly parameters fill the disk to cause system instability (T1561.001)
Payload self-deletion via /delete parameter to erase forensic artefacts
Victims and Geography
Halcyon AI documents 12 known victims and 28 identified SHA-256 samples. Contrary to initial belief, the primary focus is the META region (Middle East, Turkey and Africa — especially UAE and Qatar), where most victims chose to pay. Secondary focus: Asia-Pacific, Western Europe and North America.
Sources
- Halcyon AI Threat Group — BlackNevas
- WatchGuard Ransomware Tracker — BlackNevas
- SentinelOne Anthology — BlackNevas
- ASEC AhnLab — BlackNevas Ransomware Analysis
- HivePro Threat Advisory — BlackNevas
Target Sectors
Sectors in which the BlackNevas group has concentrated its attacks.
High-value assets, regulatory pressure and low tolerance for downtime make financial institutions a priority target. BlackNevas threatens to leak data to partners such as Kill Security or DragonForce if the ransom is not paid.
The criticality of telecom services and privileged access to customer networks make these environments especially attractive for double extortion.
Environments with legacy Windows systems, poor OT/IT segmentation and frequent exposure of RDP are ideal ground for BlackNevas propagation.
The sensitivity of patient data and the dependency on critical 24/7 systems increase the likelihood of ransom payment in healthcare organisations.
Law firms and consultancies handle highly confidential data from multiple clients, raising the reputational impact of a leak and maximising the attacker's negotiating leverage.
Detection & Response Rules
Rules ready to import into SentinelOne XDR. Contact us for full access to the updated repository.
Detects the creation of the 'ESX Admins' group via net.exe or PowerShell. CVE-2024-37085 allows any member of this group to obtain full administrator privileges on VMware ESXi hosts without additional authentication.
event.type = "Process Creation"
AND (tgt.process.name in ("net.exe", "net1.exe")
AND tgt.process.cmdline contains:anycase "group"
AND tgt.process.cmdline contains:anycase "ESX Admins"
AND tgt.process.cmdline contains:anycase "\/add"
AND tgt.process.cmdline contains:anycase "\/domain")
OR (tgt.process.name in ("powershell.exe", "pwsh.exe")
AND tgt.process.cmdline contains:anycase "ESX Admins")Detects Windows security events (AD) for creation or modification of groups named 'ESX Admins'. Covers event IDs 4727/4728/4731/4737/4754/4755/4756.
# ️ This detection requires Windows Security logs (AD) — not available in SentinelOne S1QL
# Implement in SIEM with EventID 4727/4728/4731/4737/4754/4755/4756 + keyword "ESX Admins"
# Alternative S1QL (group creation via process):
event.type = "Process Creation"
AND tgt.process.cmdline contains:anycase "ESX Admins"Detects the use of esxcli to kill VMs before encrypting volumes. BlackNevas stops all active VMs on ESXi to free .vmdk disks before executing the encryption payload.
event.type = "Process Creation"
AND tgt.process.image.path endswith '/esxcli'
AND tgt.process.cmdline contains 'vm process'
AND tgt.process.cmdline contains 'kill'Detects deletion or resizing of Shadow Copies using vssadmin, wmic, diskshadow, wbadmin or bcdedit. BlackNevas removes restore points before encryption to prevent recovery without paying.
event.type = "Process Creation"
AND (
(tgt.process.name in ("powershell.exe", "pwsh.exe", "wmic.exe", "vssadmin.exe", "diskshadow.exe")
AND tgt.process.cmdline contains:anycase "shadow"
AND tgt.process.cmdline contains:anycase "delete")
OR (tgt.process.name = "wbadmin.exe"
AND tgt.process.cmdline contains:anycase "delete catalog")
OR (tgt.process.name = "bcdedit.exe"
AND tgt.process.cmdline contains:anycase "recoveryenabled no")
OR (tgt.process.name = "bcdedit.exe"
AND tgt.process.cmdline contains:anycase "bootstatuspolicy ignoreallfailures")
)Detects writes to Run/RunOnce keys pointing to suspicious paths (AppData, Temp, Downloads). BlackNevas persists via Run Keys with binaries in non-standard locations.
event.type in ("Registry Value Create", "Registry Value Modified")
AND (registry.keyPath contains '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' OR registry.keyPath contains '\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run' OR registry.keyPath contains '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run')
AND (registry.value contains '\\AppData\\' OR registry.value contains '\\Temp\\' OR registry.value contains '\\Downloads\\' OR registry.value contains '\\Users\\Public\\' OR registry.value contains '\\ProgramData\\')Detects processes that write Run/RunOnce keys whose executable was launched from download or temporary folders. Indicator of post-phishing persistence installation.
event.type in ("Registry Value Create", "Registry Value Modified")
AND (registry.keyPath contains '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' OR registry.keyPath contains '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce')
AND (src.process.image.path contains '\\Downloads\\' OR src.process.image.path contains '\\Temporary Internet Files\\' OR src.process.image.path contains '\\AppData\\Local\\Microsoft\\Olk\\Attachments\\')Detects failed login attempts on SQL Server (EventID 18456). BlackNevas brute-forces exposed MSSQL as an initial access vector. Low individual severity; high severity at volume (>10 in 5 min).
# ️ SentinelOne S1QL does not index Windows Application Log events (MSSQL EventID 18456)
# Implement in SIEM with Windows Event Forwarding integration
# Alternative S1QL — detect sqlservr.exe with massive incoming connections:
event.type = "IP Connect"
AND tgt.process.name = "sqlservr.exe"Detects failed MSSQL login attempts from external (non-RFC1918) IPs. High fidelity — failed MSSQL login from the internet is a solid indicator of active reconnaissance or brute force.
# ️ SentinelOne S1QL does not index Windows Application Log events (MSSQL EventID 18456)
# Implement in SIEM with Windows Event Forwarding integration
# Alternative S1QL — detect sqlservr.exe with connections from external IPs:
event.type = "IP Connect"
AND tgt.process.name = "sqlservr.exe"
AND NOT dst.ip.address matches "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.)"Detects execution of NetScan (SoftPerfect) and Nmap. BlackNevas uses these scanners to map the internal network and locate SMB shares, RDP hosts and ESXi before moving laterally.
event.type = "Process Creation"
AND (
tgt.process.name in ("netscan.exe", "nmap.exe")
OR tgt.process.publisher contains:anycase "SoftPerfect Pty. Ltd."
OR tgt.process.publisher contains:anycase "Nmap Software LLC"
)Detects the creation on disk of a file containing 'netscan' in its path. Attackers typically download NetScan to temporary or user directories before executing it.
event.type = "File Creation"
AND tgt.file.path contains:anycase "netscan"Detects MeshAgent (wvspbind.exe in BlackNevas) launching cmd.exe or PowerShell. Indicates use of the MeshCentral/MeshAgent channel for remote command execution during an active intrusion.
event.type = "Process Creation" AND (src.process.image.path endswith 'meshagent.exe' AND (tgt.process.image.path endswith 'cmd.exe' OR tgt.process.image.path endswith 'powershell.exe' OR tgt.process.image.path endswith 'pwsh.exe'))Detects execution of renamed MeshAgent (BlackNevas deploys it as wvspbind.exe, hidden from Control Panel). The --meshServiceName parameter reveals the binary regardless of the executable name.
event.type = "Process Creation" AND tgt.process.cmdline contains '--meshServiceName' AND NOT tgt.process.image.path endswith 'meshagent.exe'Detects installation of MeshAgent as a Windows service (SCM EventID 7045). BlackNevas installs MeshAgent as an auto-start service for persistence.
# ️ SentinelOne S1QL does not index Windows System Log (SCM EventID 7045)
# Implement in SIEM with Provider=Service Control Manager + EventID 7045
# Alternative S1QL — detect service installation by process:
event.type = "Process Creation"
AND tgt.process.cmdline contains:anycase "--meshServiceName"Detects execution of AnyDesk. Used by BlackNevas as an alternative C2 channel during active intrusion alongside MeshAgent. Low individual fidelity — contextualise with other alerts.
event.type = "Process Creation"
AND (tgt.process.name in ("AnyDesk.exe", "AnyDeskMSI.exe")
OR tgt.process.displayName contains:anycase "AnyDesk"
OR tgt.process.publisher contains:anycase "AnyDesk Software GmbH"
OR src.process.publisher contains:anycase "AnyDesk Software GmbH")Detects AteraAgent installation via MSI (EventID 1033). BlackNevas installs AteraAgent as an alternative RMM to maintain persistent remote access.
# ️ SentinelOne S1QL does not index Windows Application Log (MSI EventID 1033)
# Implement in SIEM with Provider=MsiInstaller + EventID 1033 + Message contains AteraAgent
# Alternative S1QL — detect agent installation or execution process:
event.type = "Process Creation"
AND (tgt.process.publisher contains:anycase "Atera Networks Ltd"
OR src.process.publisher contains:anycase "Atera Networks Ltd"
OR (tgt.process.name = "msiexec.exe"
AND tgt.process.cmdline contains:anycase "AteraAgent")
OR tgt.process.name = "AteraAgent.exe")Detects execution of ScreenConnect/ConnectWise with access session parameters (e=Access&, y=Guest&). BlackNevas uses ScreenConnect as an additional remote access tool.
event.type = "Process Creation" AND tgt.process.cmdline contains 'e=Access&' AND tgt.process.cmdline contains 'y=Guest&' AND tgt.process.cmdline contains '&p=' AND tgt.process.cmdline contains '&c=' AND tgt.process.cmdline contains '&k='Detects execution of TeamViewer. BlackNevas uses TeamViewer as an alternative remote access channel during active intrusion. Low individual fidelity — contextualise with other alerts.
event.type = "Process Creation"
AND (tgt.process.name in ("TeamViewer.exe", "TeamViewer_Desktop.exe", "TeamViewer_Service.exe")
OR tgt.process.publisher contains:anycase "TeamViewer Germany GmbH"
OR src.process.publisher contains:anycase "TeamViewer Germany GmbH")Detects execution of LMIGuardianSvc service (LogMeIn). BlackNevas uses LogMeIn as an additional remote access tool to maintain persistent C2.
event.type = "Process Creation"
AND (tgt.process.displayName contains:anycase "LMIGuardianSvc"
OR tgt.process.publisher contains:anycase "LogMeIn, Inc.")