Blackfield (BlackFL) Ransomware Demands $2 Million from Nidec Chaun-Choung Technology Corporation (Nidec Corporation Subsidiary) — Threadlinqs Intelligence
Threat ID: TL-2026-1196 · Severity: HIGH · Status: ACTIVE · Category: RANSOMWARE
Attribution: Blackfield · FINANCIAL
The Blackfield ransomware group (aka BlackFL) claims to have breached Nidec Chaun-Choung Technology Corporation (CCIC), a Taiwan-based subsidiary of Japanese electronics giant Nidec Corporation, and
Blackfield (also tracked as BlackFL/BlackField) is a financially motivated ransomware operation first observed in the wild on July 1, 2025 via samples submitted to VirusTotal. The group runs a double-extortion model: data is exfiltrated prior to file encryption, victims are given a tiered graduated-payment ransom structure, and proof-of-concept data samples are leaked on the group's Tor-hosted leak site(s) to pressure payment. Encrypted files are appended with the '.BlackFL' extension (a February 2026 variant additionally renames files to random strings and alters the desktop wallpaper/pre-login screen), and a ransom note ('BlackField_ReadMe.txt' / 'BlackField-ReadMe.txt') is dropped instructing victims to contact the actors via onionmail/tutamail/mail2tor/mailum email addresses, a Telegram handle (@gotchadec), or Tox identifiers. The note claims financial-situation-based ransom calibration, threatens backup destruction ('all your backups - virtual, physical - everything that we managed to reach - are completely removed'), promises ~24-hour decryption turnaround post-payment, and threatens a multi-stage escalation (public leak-site publication, continued network attacks, credential resale, customer notification, social-media amplification) if the victim does not negotiate.
On June 22, 2026, Blackfield struck Nidec Chaun-Choung Technology Corporation (CCIC), a Taiwan-based manufacturing subsidiary of Nidec Corporation (Japan; ~$17.2B annual revenue, 100,000+ employees, operations in 40+ countries). Nidec confirmed damage to affected servers and implemented an emergency shutdown of impacted servers/networks, disclosing the incident publicly on June 30, 2026. Blackfield publicly claimed the attack on its leak site around June 29, 2026, demanding $2,000,000 to delete the stolen data, offering a $400,000 immediate-download option, and applying a $5,000/day extension fee if the victim requested more time. As of the disclosure, no confirmed leak of personal or confidential data had been verified and the incident was not expected to spread to other Nidec entities. This is not Nidec's first ransomware incident: in October 2024, Nidec's Vietnam-based Precision division was compromised separately by both the 8Base and Everest ransomware gangs, exposing 50,000+ sensitive files. Blackfield's only other confirmed victim to date is Redeplast, a Brazilian footwear manufacturer, claimed on July 3, 2026 with a lower $100,000 demand — indicating the group calibrates ransom amounts to perceived victim resources and targets the manufacturing sector across geographies (Taiwan, Brazil). No CVE, initial access vector, or malware sample has been publicly attributed specifically to the Nidec CCIC intrusion; known BlackFL propagation vectors from broader malware-analysis reporting include phishing emails with malicious attachments, pirated/cracked software, tech-support scams, infected USB media, malvertising, exploited software vulnerabilities, and P2P/untrustworthy download sites.
Target sectors: manufacturing, electronics, technology, automotive-components
Target regions: taiwan, japan, brazil, vietnam
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 18 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
RANSOMWARE, HIGH, threat intelligence, cybersecurity, T1566, T1566, T1133, T1091, T1189, T1195, T1204, T1059, T1036, T1027