Skip to content
Ransomware group Windows

BlackByte

BlackByte is a Windows ransomware family and ransomware-as-a-service operation first publicly identified in 2021.

Profile source: Mallory opens in a new tab

BlackByte

Family profile

BlackByte is a Windows ransomware family and ransomware-as-a-service operation first publicly identified in 2021. It has been associated with enterprise-focused intrusions that combine data theft and file encryption, and multiple variants have been observed over time. BlackByte operators and affiliates have used double-extortion tactics, including exfiltrating victim data prior to encryption and threatening publication on leak infrastructure. More mature activity linked to the ecosystem has also included use of a custom exfiltration utility known as Exbyte.

Observed BlackByte intrusions show hands-on-keyboard tradecraft after initial compromise. In documented cases, operators gained access by exploiting Microsoft Exchange ProxyShell vulnerabilities, deployed web shells, used Cobalt Strike for command and control, dumped credentials, installed remote access software, and moved laterally over SMB and administrative shares before launching the ransomware. BlackByte has also been linked to campaigns using valid accounts and remote access pathways such as RDP in broader ransomware activity.

The malware and its operators have demonstrated extensive post-compromise behavior intended to maximize impact and hinder recovery. Reported actions include process injection, privilege-enabling system changes, Active Directory and network reconnaissance, enabling file-sharing-related firewall rules, deleting shadow copies, disabling or tampering with security tools, and modifying Windows Registry settings associated with lateral movement and execution. BlackByte has been observed injecting Cobalt Strike into legitimate Windows processes during intrusions and injecting the ransomware into another legitimate process prior to encryption. Some reporting also links BlackByte activity to bring-your-own-vulnerable-driver tradecraft through abuse of a vulnerable graphics-related driver to impair defenses.

BlackByte primarily targets Windows enterprise environments. Victimology in available reporting is consistent with opportunistic financially motivated ransomware operations affecting organizations rather than consumers, including mid-market and larger enterprises. The operation is notable for combining conventional ransomware deployment with defense evasion, credential abuse, lateral movement, and exfiltration, making it representative of modern multi-stage ransomware intrusions.

Capabilities

  • Byovd
  • Credential Theft
  • Ddos
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Post Exploitation
  • Privilege Escalation
  • Process Injection
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Defense Evasion

  • Dell Client driver (BYOVD)
  • GIGABYTE Motherboard driver (BYOVD)
  • MSI Afterburner driver (BYOVD)
  • Zemana Anti-Rootkit driver

Discovery Enum

  • PowerView
  • SoftPerfect NetScan

Offsec

  • Cobalt Strike
  • PowerShell Empire

RMM Tools

  • AnyDesk

Reported operators

Threat actors

1 named in public reporting
BlackByte

BlackByte queried registry values to determine system language settings.

Exploited software

Vulnerabilities linked to BlackByte

11 CVEs

MITRE ATT&CK

BlackByte in ATT&CK

27 distinct techniques

Reporting

Research mentioning BlackByte

Jul 13
Codeby

DDoS smokescreen атака: как SOC детектит скрытый взлом

Правило proc_creation_win_malware_blackbyte_ransomware.yml привязано к T1498 - BlackByte ransomware известен использованием DDoS как элемента многовекторной атаки.

Jul 6
Splunk Research

Detection: AWS Bedrock Claude Sensitive Data in Prompts | Splunk Security Content

Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group Gamaredon Group Kimsuky PLATINUM Sandworm Team Silence TA2541 Turla UNC3886 Velvet Ant Wizard Spider

Jul 6
Splunk Research

Detection: AWS Bedrock Claude Hostile Prompt Sentiment | Splunk Security Content

Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group ...

Jul 6
Splunk Research

Detection: AWS Bedrock Claude Possible Prompt Injection | Splunk Security Content

Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group...

Jul 6
Splunk Research

Detection: AWS Bedrock Claude excessive use of tokens | Splunk Security Content

Annotations ID Technique Tactic T1055 Process Injection Privilege Escalation APT37 APT38 APT41 APT5 AppleJeus BlackByte Cobalt Group Gamaredon Group Kimsuky PLATINUM Sandworm Team Silence TA2541 Turla UNC3886 Velvet Ant Wizard Spider

May 21
Huntress

The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress

Ransom:Win64/BlackByte.SZ!MTB Defender detection of win.exe

May 20
Loldrivers

e32bc3da-4db1-4858-a62c-6fbe4db6afbd | LOLDrivers

Resources https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/

May 19
Microsoft Security

Exposing Fox Tempest: A malware-signing service operation | Microsoft Security Blog

Microsoft Defender for Antivirus – Ransom:Win64/Rhysida – Ransom:Win64/Inc – Ransom:Win32/Qilin – Ransom:Win32/BlackByte

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.