Black Shrantac: inside the ransomware group weaponising legitimate tools against global organisations

Since its first confirmed appearance in September 2025, Black Shrantac has established itself as a credible and persistent ransomware threat targeting organisations across multiple industries and geographies. Unlike some ransomware groups that focus on a specific sector or region, Black Shrantac operates opportunistically - hitting wherever the conditions are right - and has claimed victims in manufacturing, financial services, technology, hospitality, the public sector and business services across different geographies.

What makes this group particularly noteworthy is not the novelty of its malware, but the discipline and operational sophistication of its intrusion playbook. Black Shrantac combines well-established attack techniques with a deliberate preference for legitimate commercial tools, making detection harder and attribution more complex. This post breaks down how the group operates, what defenders should watch for, and what organisations can do to reduce their exposure.

The double extortion model

Black Shrantac's core business model is double extortion. The attack unfolds in two stages: first, the group exfiltrates large volumes of sensitive data from the victim's environment; then it deploys ransomware to encrypt files and disrupt operations. The victim is subsequently presented with two simultaneous threats - pay to recover access to encrypted systems, and pay to prevent the stolen data from being published publicly.

To maximise pressure, the group operates a dedicated leak site on the Tor network where it publishes victim names, breach dates and sample data as proof of compromise. Partial data releases are used as a coercion mechanism against organisations that are slow to respond, a tactic that has become standard across the more professional ransomware operators.

Critically, paying the ransom does not guarantee that stolen data will not be leaked. Organisations that pay may recover their systems but still face the reputational and regulatory consequences of a public data exposure. This reality underscores why prevention and early detection are far more valuable than any post-compromise negotiation.

Communication with victims is conducted exclusively via Tox, a peer-to-peer encrypted messaging protocol that avoids more traceable channels and complicates law enforcement efforts to monitor or disrupt negotiations.

Initial access: exploiting the perimiter

Black Shrantac's intrusions begin at the network perimeter. The group has been observed exploiting CVE-2024-3400, a critical command injection vulnerability affecting Palo Alto Networks PAN-OS devices running the GlobalProtect gateway or portal. This vulnerability carries a CVSS score of 10.0 - the maximum - and allows an unauthenticated attacker to execute arbitrary operating system commands with root-level privileges. Affected devices were running PAN-OS 11.0.0, a version that reached end-of-life in November 2024 and for which no patches had been applied.

Once the perimeter device is compromised, the group employs a particularly clever supply-chain-style technique: it injects a trojanised GlobalProtect MSI installer into the firewall's own update portal. Administrators who subsequently download what they believe to be a legitimate software update are in fact executing a malicious package that installs the attacker's remote access tooling. This step is notable because it exploits trust - the victim's own infrastructure becomes the delivery mechanism.

Establishing a foothold: persistance and credential access

Following initial access, Black Shrantac moves quickly to establish multiple, redundant persistance mechanisms. The group deploys SimpleHelp - a legitimate commercial remote access tool - as a persistent Windows service, providing a reliable command-and-control channel that blends with normal administrative traffic. On some hosts, Net Monitor for Employees Agent, a commercial endpoint monitoring product, is additionally deployed and repurposed to maintain covert communication with attacker-controlled infrastructure.

The group also creates new domain accounts within the victim's Active Directory environment. Intention is to establish persistent credential footholds that allow the attacker to re-enter the environment even if other persistance mechanisms are discovered and removed. On the other side, it allows defenders to set straightforward alarming bells if such accounts are created.

On the credential access side, the group uses klist.exe - a native Windows utility - to enumerate active Kerberos sessions on compromised hosts, harvesting tickets for use in pass-the-ticket attacks. This living-off-the-land approach avoids deploying third-party credential dumping tools that would be more likely to trigger endpoint detection controls.

Moving through the network

Once inside, Black Shrantac conducts systematic internal reconnaissance using SoftPerfect Network Scanner, a portable commercial utility that requires no installation and leaves a minimal artefact footprint. Executed under legitimately credentialed domain accounts, this tool allows the group to map live hosts, open services and network topology before moving laterally.

Lateral movement relies on a combination of techniques. RDP is the primary vector, with connections established between domain controllers, servers and workstations under both actor-created and compromised accounts. PSExec is used for remote command execution over SMB. MightyViewer, a VNC-based remote control utility, provides interactive GUI access to compromised hosts. And SSHFS-Win combined with WinFsp allows the attacker to mount remote directories as local drives over SSH, enabling quiet file access without generating the traffic patterns typically associated with file transfer tools.

The consistent use of legitimate, commercially available tools across every phase of the attack is a deliberate evasion strategy. Each of these products has a plausible legitimate use case in an enterprise environment, which makes it harder to distinguish attacker activity from normal administrative operations.

Defence evasion: clearing the way

Before deploying ransomware, Black Shrantac systematically dismantles the victim's defences. Microsoft Defender real-time protection is disabled via PowerShell. Where third-party endpoint security products are present, the group executes vendor-supplied uninstallation utilities to fully remove them from compromised hosts - notably doing so under the previously created domain account, demonstrating the direct operational link between account creation and defence evasion.

Windows event logs are manipulated to limit forensic visibility, and encryptor binaries are renamed with generic filenames to evade signature-based detection controls that rely on static filename or hash matching.

Ransomware deployment

The final stage of the attack is the deployment of the ransomware payload itself. Black Shrantac uses multiple encryptor binaries executed simultaneously via both manual launch and scheduled tasks, a redundancy measure designed to maximise encryption coverage if any single execution pathway is blocked. The primary encryptor binary follows a naming convention suggesting it is engineered to execute without requiring administrative privileges, widening the range of hosts it can affect.

The encryptor uses combination of asymmetric and symmetric encryption for file content encryption (encryptor comes with embedded RSA public key and symmetric part of encryption is being done by AES-256). Encrypted files are renamed with randomised names and given either a .shrt or .shrtt extension. A ransom note named shrt.readme.html is dropped in affected directories. The desktop wallpaper is replaced with a black screen bearing the message "ALL YOUR DATA ENCRYPTED". Persistancefor the encryptor is achieved via a scheduled task masquerading as a OneDrive update job running under the SYSTEM account.

The ransom note itself is framed in quasi-commercial language, presenting the intrusion as a business transaction and offering proof-of-decryption for a small number of non-critical files as a confidence-building measure - a pattern consistent with established ransomware playbooks.

Legitimate tools

Following legitimate tools were used by the threat actor:

IoCs

The following Indicators of Compromise (IoCs) have been observed in association with this threat actor:

Malware indicators

File indicators

Host-based indicators

 Network indicators

What defenders should watch for

Across every phase of the attack, there are observable behavioural signals that security teams can monitor. At the perimeter, unexplained MSI files appearing on the GlobalProtect portal or administrators executing installers from desktop paths outside of change management windows should trigger immediate investigation.

Inside the network, PowerShell invoking Invoke-WebRequest from servers to external IP addresses, the appearance of SimpleHelp, Net Monitor or MightyViewer on hosts where these tools have no approved use, and new domain accounts being granted elevated privileges shortly after creation are all high-fidelity indicators of compromise. Scheduled task creation by non-SYSTEM accounts referencing executables in user-writable directories, and Active Directory password resets performed without a corresponding service desk record, are equally significant.

For detection teams, aggressive monitoring of schtasks.exe activity is specifically recommended, as scheduled tasks are central to both persistance and ransomware payload distribution in this group's playbook. Kerberos ticket request anomalies (Event ID 4769) and interactive logon events (Event ID 4624, Logon Type 10) under generic or service-named accounts across multiple hosts in short time windows should also be prioritised.

How to reduce exposure

Defending against Black Shrantac require systematic security controls. The group's intrusion chain relies almost entirely on known techniques against common misconfigurations. The following measures address the most significant gaps:

• Patch internet-facing devices without exception. CVE-2024-3400 has a patch available. Even if device is patched, it is worth also to assess current state of device and also integrity of Globalprotect software clients on the device (in case attackers managed to exploit it in unpatched time window). Patch management is an important security control to have in place.
• Enforce multi-factor authentication on all remote access. Phishing-resistant MFA - ideally FIDO2 - should be mandatory for VPN, RDP and all administrative console access. MFA enforcement at the identity provider level, not just the application layer, closes the gaps that attackers routinely exploit.
• Implement tamper protection on endpoint security. If an attacker can disable your antivirus with a single PowerShell command or a vendor uninstallation utility, it provides little real protection. Tamper protection, enforced via Group Policy or a mobile device management platform, prevents this.
• Audit and govern RMM tools. Maintain a whitelist of approved remote access and monitoring tools. Alert on the execution or installation of any RMM software not on the approved list. Restrict outbound connections from approved RMM agents to known server IP ranges only.
• Isolate and protect backup infrastructure. Backup servers should not be accessible using standard domain credentials. Immutable, air-gapped or offsite backup copies that cannot be modified or deleted by domain administrator accounts are the most effective insurance against ransomware encryption. Recovery procedures should be tested regularly - not just assumed to work.
• Segment your network. Domain controllers, servers and backup infrastructure should reside in dedicated network segments with strict firewall rules preventing unrestricted lateral movement. Workstations should not be able to reach servers directly unless operationally required.
• Invest in logging and visibility. Short log retention - or absence of logging - materially limits the ability to detect, investigate and contain an intrusion. At a minimum, process creation, logon events, scheduled task creation, service installation, Kerberos ticket requests, PowerShell script block logs and Active Directory account changes should be forwarded to a centralised SIEM and retained for at least twelve months.

Conclusion

Black Shrantac demonstrates that a disciplined, well-organised group armed with commodity tooling and a methodical playbook can cause severe operational and reputational damage to organisations that have left basic security hygiene gaps unaddressed.

The group's deliberate preference for legitimate tools, its redundant persistance mechanisms and its systematic approach to disabling defences before deploying ransomware reflect a level of operational maturity that demands an equally mature defensive posture. Organisations that invest in the fundamentals - patching, identity hygiene, endpoint protection, network segmentation and backup integrity - will be significantly better positioned to detect, contain or prevent an intrusion of this type.

References

Cyfirma: Weekly Intelligence Report – 12 December 2025

Ransom – DB – 27 December 2025

ICS Strive

BlackFog – 16 December 2025

Blog Have I Been Ransom – 17 September 2025

Ransomwhere.info – 24 March 2026

Threat fox

The Raven File – 14 November 2025

OSINT Team Blog: Black Shrantac Ransomware: Victim Analysis, Leak Site Intelligence, and Threat Assessment (2025-2026) – 23 January 2026

Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)

Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)

For further information, please connect to sales.cyber@marlink.com