Menu
Browse

Cyber Threat Actor: Black Atlas

Actor Type Location Known Incidents
 Icon
Crime Syndicate
0 incidents
Profile

Black Atlas operates as a financially motivated cybercriminal entity, primarily leveraging ransomware and data theft operations against diverse sectors. Public reporting associates this actor with high-impact breaches targeting healthcare providers, critical infrastructure, transportation networks, and commercial enterprises. The group demonstrates consistent focus on extortion through data encryption and exfiltration, frequently threatening public leaks to pressure victims into paying ransoms.

Notable technical patterns include the deployment of NetWalker and Nefilim ransomware variants, with initial access frequently achieved through exploitation of unsecured databases, SQL injection vulnerabilities, and compromised remote desktop services. Articles document instances where Black Atlas exploited weak Elasticsearch credentials (Mangatoon breach), Citrix CVE-2019-19781 vulnerabilities (Luxottica attack), and inadequately protected AWS storage buckets. The group systematically exfiltrates sensitive data prior to encryption, as evidenced in attacks against Lorien Health Services and Whirlpool, where patient records and corporate documents were stolen. Operational security lapses among victims—such as outdated patches, default passwords, and exposed management interfaces—recur as enabling factors across documented incidents.

Significant campaigns include the 2022 breach of ShitExpress, where an SQL injection vulnerability allowed theft of customer messages and personal data subsequently leaked on hacking forums. In healthcare, Black Atlas compromised Atlanta Allergy & Asthma and Crozer-Keystone Health System, exfiltrating insurance documents and patient treatment records later auctioned on dark web platforms. High-profile infrastructure attacks disrupted Argentina’s immigration services and Pakistan’s K-Electric utility, causing border processing halts and billing system outages. The actor’s collaboration with ransomware-as-a-service affiliates is implied through consistent use of NetWalker and Nefilim payloads, though no explicit criminal consortium ties are confirmed in available sources. Law enforcement attention has targeted associated infrastructure, including the seizure of RaidForums, though Black Atlas’s operational continuity persists through successor platforms like Breached.co.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
52 sources