Ransomware Group: BLACKSHRANTAC

VICTIM NAME: Ak** Me***

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the BLACKSHRANTAC Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On September 26, 2025, at 09:38:18.131210, the leak page tied to the Blackshrantac group lists Ak** Me*** as a victim. The post provides no disclosed industry or country. It frames the incident as a data leak rather than a conventional encryption event and claims the attackers exfiltrated about 1 terabyte of data from the victim’s network. The data purportedly spans finance-related materials (production costs, invoices, statements, payrolls), HR information (employee records and related identifiers), and a comprehensive package of product development procedures and research and development results. The post states the stolen data will be published publicly and notes that data deletion could be purchased, with an invitation for third parties to negotiate for data purchase. A claim URL is referenced on the page, and the attackers supply a contact alias “Tox” along with a token. A Turkish-host domain is mentioned in the text (defanged for safety as hxxp://me***ak**me***[.]com[.]tr). There are no screenshots or downloadable files shown on the page.

The page text appears to include a simulated file-view interface, with a root breadcrumb bearing the masked victim name Ak** Me*** and a file-tree structure described in the excerpt. The material explicitly notes a data size of 1 TB and enumerates data categories—finance records (costs, invoices, payroll), HR data (employee information with sensitive identifiers), and product development procedures plus R&D results. This aligns with a data‑leak extortion pattern: the attackers threaten to publish the data unless demands are met and indicate a paid option to delete the data. No ransom amount is disclosed in the available material. The post also indicates that company data will be published soon and that non-company individuals may contact the attackers to negotiate for data purchase. The metadata shows there are zero images and zero downloads on the page. The post date functions as the leak’s release date, with no separate compromise date provided. All PII within the excerpt is masked, and only the victim name Ak** Me*** is retained. The Turkish host reference and the inclusion of a contact token further illustrate the operator’s operational posture.