Ransomware Group: BLACKNEVAS

VICTIM NAME: T[.] Choithram And Sons, LLC

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the BLACKNEVAS Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak post is attributed to the group blacknevas and targets T. Choithram And Sons, LLC, a US-based company described in the page’s text as a large grocery retailer and distributor with extensive IT operations. The post frames the intrusion as a data-leak event rather than a straightforward encryption incident. It claims that a substantial volume of SQL and SAP data has been exfiltrated and that scanned documents from the company’s IT department exist, including records the attackers describe as passports for nearly all employees. The message also asserts the attackers can grant access to the corporate network to a coerced IT staff member due to highly compromising information, and it provides a contact channel for information requests (redacted here to protect personal data).

The page includes three visual previews (images) that appear to be internal documents or slide-like materials, shown only in general terms here. The visuals are hosted via links that are defanged in this summary, and the page notes a claim URL as part of the leak posture. In addition, the attackers reference a file-sharing link to additional materials, described as a repository of scanned documents and other data. A defanged example of such a link would be hxxp://gofile[.]io/d/QwY56BA. The presence of these images and external materials aligns with a data-leak/double-extortion narrative rather than a simple encryption event, and no explicit ransom amount is published on the page.

Key aspects of the post include the assertion that the attackers possess a large dataset (including SQL and SAP data) and internal IT documents, with claims of access to employee passport information. The page does not disclose a specific ransom figure or a clear encryption notice, and the leak is dated 2025-09-29 16:57:17, which is presented here as the post date since no separate compromise date is provided. The content emphasizes potential threats to confidentiality and operational risk, illustrating the risk profile faced by large, IT-driven retail and distribution organizations within the consumer services sector. A contact address for information is included but redacted in this summary.