Linkedin X-twitter
    • December 5, 2025

    New Threat Actor: Benzona

    Benzona is a newly identified ransomware strain and threat actor group that surfaced in late November 2025. Functioning as a Ransomware-as-a-Service (RaaS) operation, the group employs a “double-extortion” model. This means they not only encrypt a victim’s critical files to halt operations but also exfiltrate sensitive data prior to encryption, using the threat of public release to pressure organizations into paying a ransom. The group operates a dedicated leak site and negotiation portal on the TOR network, signaling a structured and mature operational capability typical of organized cybercrime syndicates.

    Recent Victims and Targeting

    On November 26, 2025, Benzona simultaneously listed at least five victims on its dark web leak site. This coordinated disclosure suggests the group may have compromised these entities through a shared entry vector or a third-party supplier.

    The initial wave of victims spans multiple continents and industries:

    • Europe (Romania): Multiple automotive dealerships located in Ploiești, specifically those associated with major brands like Suzuki, Mazda, and Dacia.
    • West Africa (Côte d’Ivoire): A healthcare nonprofit organization.
    • Asia (Taiwan): Organizations within the digital and community service sectors.

    The targeted data includes internal documents, financial records, emails, and client databases, which the group threatens to publish if their demands are not met.

    Tactics, Techniques, and Procedures (TTPs)

    Initial Access

    Benzona likely gains entry to victim networks through several common vectors:

    • Spear-Phishing: Delivery of the initial payload via malicious email attachments or links (T1566.001).
    • Exploitation of Public-Facing Applications: The simultaneous listing of related victims suggests the exploitation of vulnerabilities in shared services or third-party platforms (T1190).
    • Valid Accounts: The use of compromised or stolen credentials, particularly for RDP (Remote Desktop Protocol) or VPN access, to infiltrate the network (T1078.002).

    Execution and Persistence

    Once inside the network, the group deploys a Windows-based ransomware payload, typically an executable file named benzona_rans.exe (approximately 9–10 MB in size). The malware runs on the host system and may establish persistence through registry modifications or scheduled tasks to ensure it remains active across reboots.

    Defense Evasion

    To ensure the encryption process completes without interruption and to prevent data recovery, Benzona employs aggressive defense evasion techniques:

    • Deleting Shadow Copies: The ransomware executes commands such as vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive to wipe Windows Volume Shadow Copies.
    • Disabling Recovery: It removes system restore points and disables Windows recovery mechanisms.
    • Process Termination: The malware attempts to kill processes related to security software, virtualization tools, and system backups to evade detection by EDR/AV solutions.

    Encryption and Extortion

    Benzona uses strong cryptographic methods to lock files.

    • File Extension: All affected files are appended with the .benzona extension (e.g., financial_report.pdf becomes financial_report.pdf.benzona).
    • Ransom Note: A text file named RECOVERY_INFO.txt is dropped into every directory containing encrypted files.
    • Deadline: The note imposes a strict 72-hour deadline for the victim to contact the attackers via their TOR portal.
    • Threats: The note explicitly warns that “irreversible data loss” will occur if manual recovery is attempted and threatens the sale or leak of exfiltrated data if the ransom is not paid.

    Indicators of Compromise (IOCs)

    File Artifacts

    • Ransomware Payload: benzona_rans.exe
    • Ransom Note: RECOVERY_INFO.txt
    • Encrypted File Extension: .benzona

    Communication Channels

    • Negotiation Method: The ransom note provides a specific URL for a TOR-based chat portal where victims must enter a unique ID.
    • Alternative Contact (Tox): 7308E8CFE8AA18D718B5EF44C34A2E5E2C90B7FDB150FA2EC31E995F5F4B23044A98802A4DF0
    • Verification: A PGP public key (RSA 2048-bit) is published on the leak site for authenticating communications.

    Network Indicators

    • Traffic: Large outbound data transfers (exfiltration) followed by connections to TOR (Onion) addresses.
    Previous Post
    Next Post
      Recent Posts

      Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.

      Follow us
      Linkedin X-twitter
      Categories
      Our Partners

      Copyright © 2025 Joe Shenouda | Threat Intelligence |

      Linkedin