Defense Evasion
- Dell Client driver (BYOVD)
- GIGABYTE Motherboard driver (BYOVD)
- MSI Afterburner driver (BYOVD)
- Zemana Anti-Rootkit driver
BlackByte is a Windows ransomware family and ransomware-as-a-service operation first publicly identified in 2021.
Profile source: Mallory opens in a new tabBlackByte
BlackByte is a Windows ransomware family and ransomware-as-a-service operation first publicly identified in 2021. It has been associated with enterprise-focused intrusions that combine data theft and file encryption, and multiple variants have been observed over time. BlackByte operators and affiliates have used double-extortion tactics, including exfiltrating victim data prior to encryption and threatening publication on leak infrastructure. More mature activity linked to the ecosystem has also included use of a custom exfiltration utility known as Exbyte.
Observed BlackByte intrusions show hands-on-keyboard tradecraft after initial compromise. In documented cases, operators gained access by exploiting Microsoft Exchange ProxyShell vulnerabilities, deployed web shells, used Cobalt Strike for command and control, dumped credentials, installed remote access software, and moved laterally over SMB and administrative shares before launching the ransomware. BlackByte has also been linked to campaigns using valid accounts and remote access pathways such as RDP in broader ransomware activity.
The malware and its operators have demonstrated extensive post-compromise behavior intended to maximize impact and hinder recovery. Reported actions include process injection, privilege-enabling system changes, Active Directory and network reconnaissance, enabling file-sharing-related firewall rules, deleting shadow copies, disabling or tampering with security tools, and modifying Windows Registry settings associated with lateral movement and execution. BlackByte has been observed injecting Cobalt Strike into legitimate Windows processes during intrusions and injecting the ransomware into another legitimate process prior to encryption. Some reporting also links BlackByte activity to bring-your-own-vulnerable-driver tradecraft through abuse of a vulnerable graphics-related driver to impair defenses.
BlackByte primarily targets Windows enterprise environments. Victimology in available reporting is consistent with opportunistic financially motivated ransomware operations affecting organizations rather than consumers, including mid-market and larger enterprises. The operation is notable for combining conventional ransomware deployment with defense evasion, credential abuse, lateral movement, and exfiltration, making it representative of modern multi-stage ransomware intrusions.
Ransomware.live
Reported operators
BlackByte queried registry values to determine system language settings.
Exploited software
MITRE ATT&CK
Reporting
Правило proc_creation_win_malware_blackbyte_ransomware.yml привязано к T1498 - BlackByte ransomware известен использованием DDoS как элемента многовекторной атаки.
Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group Gamaredon Group Kimsuky PLATINUM Sandworm Team Silence TA2541 Turla UNC3886 Velvet Ant Wizard Spider
Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group ...
Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group...
Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group Gamaredon Group Kimsuky PLATINUM Sandworm Team Silence TA2541 Turla UNC3886 Velvet Ant Wizard Spider
Ransom:Win64/BlackByte.SZ!MTB Defender detection of win.exe
Resources https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/
Microsoft Defender for Antivirus – Ransom:Win64/Rhysida – Ransom:Win64/Inc – Ransom:Win32/Qilin – Ransom:Win32/BlackByte
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.