ActiveTLP:AMBERConfidence: High

Operation BlackHarvest

First seen January 15, 2026 · Last seen May 20, 2026

Public preview

Summary and targeting visible. Pro adds TTP and actor context, Pro+ adds IOC exports and enrichment.

Summary

Double-extortion ransomware campaign targeting healthcare and manufacturing organizations through initial access broker partnerships. Uses phishing and VPN credential abuse for entry.

Target Sectors

HealthcareManufacturing

Target Regions

North America

Safety Note

Fictional campaign. No real victim identifiers, ransom amounts or leak site data included.

Actions

View pricing →

Related CVEs

CVE-2026-20881

Threat Actors

VoidLock Collective

ransomware · Eastern Europe (assessed)

SilkGate Broker

cybercrime · CIS region (assessed)

Malware Used

VoidCrypt

ransomware

SilkDrop

loader

MITRE ATT&CK Techniques

T1566.001 — Spearphishing Attachment

Initial Access

Train users to identify phishing. Deploy email gateway filtering. Enable attachment sandboxing. Block macro execution by default.

T1486 — Data Encrypted for Impact

Impact

Maintain offline backups. Monitor for mass file modification events. Restrict execution of unknown binaries. Implement endpoint detection for encryption behavior.

T1078 — Valid Accounts

Persistence

Enforce MFA on all accounts. Monitor for impossible travel and unusual login patterns. Implement privileged access management. Review service account usage.

T1133 — External Remote Services

Initial Access

Enforce MFA on all remote access. Restrict VPN/RDP to allowlisted networks where possible. Monitor remote access logs for anomalies. Patch remote access infrastructure promptly.

Related Ransomware Groups

VoidLock

Active · Healthcare, Manufacturing, Education

Related IOCs

192.0.2.41

IP Address · Active

c2-voidlock.example.net

Domain · Active

a1b2c3d4e5f6[REDACTED]

Hash · Active

https://c2-voidlock.example.net/api/[REDACTED]

URL · Active

voidcrypt_payload.exe

File Name · Active

f0e1d2c3b4a5[REDACTED]

Hash · Active

silkdr[REDACTED]

File Name · Active

Recent Feed Items

VoidLock Collective claims new healthcare victims

ransomware activity · critical

SilkGate Broker advertising VPN access to healthcare networks

dark web signal · critical

CVE-2026-21954 exploitation observed in ransomware chain

vulnerability exploitation · critical

Related Intelligence

CVEs

CVEsExploitsHigh

CVE-2026-20881: Fortinet SSL VPN Session Validation Bypass

A session validation weakness in a mock Fortinet SSL VPN gateway can permit unauthorized access to management-adjacent functions when a device is exposed directly to the internet.

critical · Fortinet

IOCs

IOCsObserved InHigh

192.0.2.41

Mock C2 callback IP observed in VoidCrypt ransomware deployment chains. RFC 5737 documentation address.

Threat Actors

Threat ActorsAttributedHigh

VoidLock Collective

VoidLock Collective is a mock ransomware operation that targets mid-size organizations with double-extortion tactics. The group uses affiliate models and publishes redacted victim claims on a mock leak site. All details are fictional and defensive.

ransomware · Eastern Europe (assessed)

Malware

MalwareUsesHigh

VoidCrypt

VoidCrypt is the ransomware payload associated with the VoidLock Collective. It uses AES-256 encryption with RSA key wrapping and drops ransom notes in multiple formats. Defensive analysis only.

ransomware

MITRE ATT&CK

MITRE ATT&CKUsesHigh

T1190: Exploit Public-Facing Application

Adversaries exploit vulnerabilities in internet-facing applications to gain initial access.

Initial Access

MITRE ATT&CKUsesHigh

T1486: Data Encrypted for Impact

Adversaries encrypt data on target systems to interrupt availability and extort payment.

Impact

Static mock relationships for demonstration. Not AI-generated or externally enriched.