The following interview, which we publish in full, was conducted in December 2025 by Erez, a member of the deepdarkCTI community.

The Benzona ransomware gang is a cybercriminal entity employing a double-extortion model, which involves both encrypting victims’ files and exfiltrating sensitive data with threats of public release should the ransom not be paid. Upon successful compromise, the Benzona ransomware encrypts files, appending a “.benzona” extension to affected data. It subsequently leaves a ransom note, typically named “RECOVERY_INFO.txt”. This note provides instructions for victims to contact the attackers via a TOR-based chat portal, imposing a strict 72-hour deadline. Victims are warned against attempting self-decryption or involving law enforcement agencies. The gang also maintains an extortion site to publicize stolen data and victim information, increasing pressure during negotiations.

The gang provides details regarding its Tox and Twitter (X) accounts on its data leak site. The first victim declared on the data leak site dates back to November 26th. In total, 8 victims have been declared, with a territorial preference for Romania (4 declared victims).

Q (Erez): Your group’s name, “Benzona”, is a Hebrew profanity. What inspired this choice, and do you have any connection to Israel or the Hebrew-speaking world?

A (Benzona): It was a very anticipated question ☺. When we were thinking about what to name our group, we opened the lists on ransomware.live to see how our colleagues name and position themselves, and we saw this contrived seriousness that has nothing to do with what they actually do. All the boards looked the same, almost 90% were just copying LockBit, both in the names and in the logos. So we came up with the idea to choose a name that 100% of Hebrew-speaking people know, and nobody else does. This is purely a utilitarian choice and doesn’t have any offensive philosophy behind it. It’s simply much easier to tell “our people” from outsiders, and with your own people it’s always easier to reach an agreement, and it’s also easier for us to make concessions.

Q (Erez): You claim to be “penetration testers” or “security researchers”. But you are encrypting data and threatening to leak it unless victims pay. Why use this cover story when everyone understands what you are doing? Is this meant to avoid law enforcement, create psychological pressure, or something else?

A (Benzona): This question is also quite expected, and it seems you don’t really understand how the industry itself works. If you step a bit further back from the standard “attacker–victim” framing, you can see that the cybersecurity field literally came alive and became extremely profitable largely thanks to ransomware groups.

Think back to the early 2010s. Think back to the 2000s. Back then, the maximum harm you could usually suffer was some scam “extortion” program on your computer that you yourself ran on your PC. There was essentially no real threat, and there was no real industry. From the third quarter of the 2010s, the situation changed.

You can say “ransomware as the engine of cybersecurity is cynical”, but that’s how it is. If you look at the figures for how much ransomware actors are estimated by specialists to have earned in 2024–2025, and compare that to companies operating in the legal sector, you get a contrast like $813,000,000 versus $213,000,000,000 in the legal industry, alongside some crazy expert estimates like an average payment of $1.13 million.

The difference in how little extortionists make is 261 times, and that number grows every year. That only shows that, as funny as it may sound, a huge number of people who are paid salaries and work legally are, in practice, being “fed” thanks to the work of a small number of people.

And because of that, ransomware operators and cybersecurity professionals can rightfully be called colleagues working on the same thing, which does not contradict the fact that we are indeed highly qualified penetration testers and nothing else. This isn’t some attempt at a moral justification or self-soothing, it’s literally how it is, and everyone involved, regardless of which side they’re on, is a member of an industry whose development depends on everyone.

As for data leaks, there are two types of groups: “terrorist groups”, those who demand a million in ransom from a seamstress with $20k in turnover, and non-terrorists, those who look at annual revenue and, for example, set 1%. We belong to the second category. The amount we ask for is money the company is definitely able to pay, and in some cases we also make concessions.

A data leak is the company’s priority. We don’t demand the impossible, it’s literally their choice whether internal documents get published. If they don’t want that, the data isn’t published. And the company isn’t posted on the board. We also provide assistance and advise the company on how to close all vulnerabilities and properly configure the infrastructure. This is, in principle, standard practice for many reasonable groups, and we stand by it.

A company can spend the same money while still losing data and exposing corporate information, by hiring new “security guys,” but as our experience shows, that doesn’t always lead to a result.

Q (Erez): Most ransomware groups are Russian-speaking or based in Eastern Europe. Given your Hebrew name, your targeting patterns, and your recent emergence, can you clarify your team’s nationality or general geolocation?

A (Benzona): I think it wouldn’t be appropriate to answer this question, given security considerations.

Q (Erez): You emerged in late 2025. What prompted the creation of Benzona at that time? Was this a completely new operation, or does Benzona represent a continuation or rebranding of a previous group or project?

A (Benzona): Everything begins and ends at some point. Our team has been thinking about launching this project for a long time, but as you can imagine, before creating it you have to resolve a whole cluster of organizational issues, things like infrastructure, access, the locker, staffing, positioning, and so on. All of that takes time.

To make it clear, I can confidently say that the members of our team have extensive experience working in RaaS partnerships, so this isn’t being done by amateurs.

It’s the end of the year right now, everyone is taking a break: companies, cybersecurity people, and ransomware crews alike. The main flow of work will definitely pick up after the New Year. For now, things are being wrapped up slowly and open cases are being closed out.

Q (Erez): You have targeted very different sectors across multiple countries. Do you have a specific target profile, or are you purely opportunistic? Are there any sectors or countries you deliberately avoid?

A (Benzona): We don’t operate in Israel, the CIS countries, or in certain countries in Europe and Asia. We don’t have a goal of targeting any specific sector, the only exception is healthcare, we do not touch any companies connected to children, or companies on which people’s lives depend.

As for the only company shown on our board, we did not publish the data for certain reasons, but we can say with confidence that the company’s main purpose is to cash out funds from an American foundation. We do not support that kind of corruption.

Q (Erez): How do you typically gain initial access to victim networks? Do you rely on phishing, exploiting unpatched vulnerabilities, compromised credentials, or other methods?

A (Benzona): Here I can say that we have never paid for access in the usual sense of buying it from brokers. I can’t describe the exact methods, but I can say that we definitely do everything listed above that relates to the technical side of working a target, and even a bit more.

Q (Erez): You operate a strict double-extortion model. What types of data do you prioritize exfiltrating, and what is the typical size of stolen datasets?

A (Benzona): First and foremost, it’s used not so much as leverage, but as real confirmation that a breach happened. You can run an experiment: make an encryptor, put links to your board in it, upload it to VirusTotal, and after some time you’ll start getting indexed on boards. Once indexing starts, trackers like ransomware.live set up a crawler bot that pulls in all new posts from there.

The thing is, you can write whatever you want there, even that you “hacked the Pentagon” or Microsoft. There’s no validation of the information beyond providing proof.

As for the content of the data, it’s usually documents without junk, we sort them. We try to pull around ~1 TB of information, sometimes less, sometimes more.

Q (Erez): Your ransom notes impose a 72-hour deadline. Does this short window significantly increase payment rates?

A (Benzona): This timeframe can be extended if needed, and it’s required to give the company’s managers time to get in touch before the initial publication on the board. The methodology really stands out for its effectiveness.

Q (Erez): Do you have any ethical boundaries, or is every organization considered a valid target?

A (Benzona): I’ve already answered this question earlier. In general, there are no restrictions, but we will never encrypt life-support systems or pose a direct threat to people’s lives.

Q (Erez): You have announced plans to launch a Ransomware-as-a-Service affiliate program. What will that look like?

A (Benzona): At the moment, this is in the plans. It will require serious organizational preparation, and we definitely won’t be recruiting random people off the street. Most likely, for those who really want to join, there will be very serious financial requirements as a way to validate their intentions.

Q (Erez): Is there anything that shaped your mindset or influenced how Benzona operates?

A (Benzona): The claim that “every person is influenced by something” is strictly incorrect and not really applicable to the field of cyber extortion. This isn’t traditional crime where you’re hiding in the night from police sirens. Here you live your normal life and you don’t particularly hide by only going online through Tor at 5 a.m. in some empty lot.

I’d say that most of the people I’ve seen are driven purely by personal motives and not by any external factors. This point does not apply to politically motivated groups.

Q (Erez): How do you see AI changing ransomware operations?

A (Benzona): It’s a relevant question, and we think about it often. In principle, EDR solutions already use similar systems, and many advanced firewalls use similar mechanisms too. But broadly speaking, they won’t change much in a major way for quite a long time, except that you can ask ChatGPT to adapt a command to a specific case.

And again, thanks to ChatGPT, the barrier to entry in the industry has noticeably dropped. If before you had to dig through the internet to figure out how to build a command, what to use, and what was causing an error, now it can be solved almost immediately. Anyone with internet access can, from zero, use neural networks to try to test its security, even despite censorship and safety blocks.

Q (Erez): Do you have any final message you would like to share with my audience?

A (Benzona): I’d like to say that overall everything is fine, and I’m confident that from here on things will only get better for everyone. But for that, of course, everyone will have to work pretty hard.