Black Shrantac Ransomware – LOTL Tactics and Double Extortion on the Rise

Show Notes

A new ransomware group is blending in with legitimate tools. This #SOCBrief breaks down Black Shrantac and how to detect it early.

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_00 0:03

Good morning, good afternoon, or good evening, whenever you may be. And welcome to another episode of the Sock Brief. This is your go-to podcast for staying ahead of the ever-evolving world of cybersecurity threats. I'm your host Andrew, and today we're going to discuss a newly observed ransomware group that's gaining some traction, named Black Shrantac. So this group emerged in September of 2025, and it's continuing to make their mark with living off the land techniques and classic double extortion tactics. We'll discuss who they are, how they operate, who they're targeting, and the practical steps your SOC can take to spot them and stop them before your organization becomes the next headline. So Black Shrantac is a relatively new ransomware group. They follow the pretty much now standard double extortion model, which means they're first exfiltrating sensitive data, then they're deploying ransomware to encrypt systems and threaten to leak the stolen information if the ransom isn't paid. The information we have on them now indicates that they have a heavy reliance on living off-the-land techniques, which means they're using legitimate administrative tools already present on the networks rather than bringing in custom malware. This makes their attacks quieter and harder for traditional EDR solutions to flag. So why is this group worth watching? Mainly, they're opportunistic and aggressive. They don't stick to one sector or region. They're hitting wherever the conditions are right. Their reported victims currently include organizations in manufacturing, financial services, technology, hospitality, public sector, and business services across multiple geographies. Their attacks tend to be fast and focused on causing maximum operational disruption. By living off the land, Black Shrantak avoids dropping obvious malware that EDR tools are tuned to catch. They use built-in Windows tools for reconnaissance, lateral movement, and persistence. From there, they'll deploy their encryptor only at the end. This keeps dwell times low and detection difficult for a lot of socks, because it means trying to discern normal admin activity being blended in with malicious behavior. It makes it easy to miss the real threat until the encryption starts. For SOCS, getting in front of this for any kind of detection, you want to be on the lookout for anonymous use of legitimate tools, watching for things like unusual PowerShell, WMI, or scheduled task activity, especially if it's coming from unexpected accounts or at odd hours. Look for signs of data exfiltration on your firewalls or SIM logs. Some of the best defenses against these attacks would be restricting unnecessary admin tool usage, enforcing application allow listing, and monitoring for living off the land binaries. Make sure you're using network segmentations so you're limiting lateral movement if an initial foothold is gained. For proactive threat hunting, stocks need to search their logs for recent anomalous admin activity, unusual protocol traffic, or rapid file encryption patterns. You can always integrate threat intelligence feeds for black Shrantec IOCs. There are vendors like WatchGuard that have already published details on their TTPs and their extortion sites. Make sure you're sharing this information internally. Brief your team and leadership. Make sure that they're aware and they know what living off the land techniques are and what needs to be done to counteract them. You can always also run a tabletop sim with a living off-the-land ransomware scenario. This will help your team and organization identify any gaps in security or processes. And the bottom line here is that Black Shrantac shows that attackers can be really good with blending in. Socks that are aware of and prepared for living off the land attacks can stop these attacks before they become a problem. Here's a closing thought and a call to action. This group's rise is a reminder that ransomware groups in general will continue to evolve and adjust to today's defenses. SOCS that have their tools tuned for the unusual are quick on blocking risky behaviors, and keep communication flowing can help turn potential disasters into contained incidents. This week, run one quick hunt for anonymous admin tool usage in your environment and review your network for any high-value assets with critical vulnerabilities. And that's a wrap for this episode of the SOC Brief. Have questions or have your own living off the land attack stories and want to share? Hit us up on social media or via our website. Keep your eyes open, keep sharpening those skills, and we'll talk soon. As always, stay secure out there. Bye.