SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2023-07-06MicrosoftMicrosoft Incident Response
@online{response:20230706:fiveday:629ca44, author = {Microsoft Incident Response}, title = {{The five-day job: A BlackByte ransomware intrusion case study}}, date = {2023-07-06}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/}, language = {English}, urldate = {2023-08-25} } The five-day job: A BlackByte ransomware intrusion case study
BlackByte ExByte
2023-05-22Cluster25Cluster25 Threat Intel Team
@online{team:20230522:back:fdaaa98, author = {Cluster25 Threat Intel Team}, title = {{Back in Black: BlackByte Ransomware returns with its New Technology (NT) version}}, date = {2023-05-22}, organization = {Cluster25}, url = {https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt}, language = {English}, urldate = {2023-05-23} } Back in Black: BlackByte Ransomware returns with its New Technology (NT) version
BlackByte
2023-03-21Twitter (@splinter_code)Antonio Cocomazzi
@online{cocomazzi:20230321:blackbyte:f11b8c4, author = {Antonio Cocomazzi}, title = {{Tweet on BlackByte ransomware rewrite in C++}}, date = {2023-03-21}, organization = {Twitter (@splinter_code)}, url = {https://twitter.com/splinter_code/status/1628057204954652674}, language = {English}, urldate = {2023-03-24} } Tweet on BlackByte ransomware rewrite in C++
BlackByte
2022-10-04SophosAndreas Klopsch
@online{klopsch:20221004:remove:a8a9121, author = {Andreas Klopsch}, title = {{Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse}}, date = {2022-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/}, language = {English}, urldate = {2022-10-24} } Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
BlackByte
2022-08-25DarktraceEmma Foulger, Max Heinemeyer
@online{foulger:20220825:detecting:95564b0, author = {Emma Foulger and Max Heinemeyer}, title = {{Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace}}, date = {2022-08-25}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace}, language = {English}, urldate = {2022-08-30} } Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace
BlackByte
2022-07-13NCC GroupRIFT: Research and Intelligence Fusion Team
@online{team:20220713:climbing:eea784b, author = {RIFT: Research and Intelligence Fusion Team}, title = {{Climbing Mount Everest: Black-Byte Bytes Back?}}, date = {2022-07-13}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/}, language = {English}, urldate = {2022-07-15} } Climbing Mount Everest: Black-Byte Bytes Back?
BlackByte
2022-07-05Trend MicroTrend Micro Research
@online{research:20220705:ransomware:01bdccf, author = {Trend Micro Research}, title = {{Ransomware Spotlight: BlackByte}}, date = {2022-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte}, language = {English}, urldate = {2022-07-12} } Ransomware Spotlight: BlackByte
BlackByte
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
@online{unterbrink:20220518:blackbyte:00c8696, author = {Holger Unterbrink}, title = {{The BlackByte ransomware group is striking users all over the globe}}, date = {2022-05-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html}, language = {English}, urldate = {2022-05-25} } The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220517:hydra:16615d9, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups}}, date = {2022-05-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups}, language = {English}, urldate = {2022-05-25} } Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerJavier Vicente, Brett Stone-Gross
@online{vicente:20220503:analysis:ae8a3cc, author = {Javier Vicente and Brett Stone-Gross}, title = {{Analysis of BlackByte Ransomware's Go-Based Variants}}, date = {2022-05-03}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants}, language = {English}, urldate = {2022-05-04} } Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:6ab8bac, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html}, language = {English}, urldate = {2022-03-07} } Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
@online{yceel:20220221:ttps:93e181d, author = {Hüseyin Can YÜCEEL}, title = {{TTPs used by BlackByte Ransomware Targeting Critical Infrastructure}}, date = {2022-02-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure}, language = {English}, urldate = {2022-02-26} } TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
@online{gatlan:20220214:fbi:faaad75, author = {Sergiu Gatlan}, title = {{FBI: BlackByte ransomware breached US critical infrastructure}}, date = {2022-02-14}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/}, language = {English}, urldate = {2022-02-16} } FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
@online{cimpanu:20220213:san:4feaacb, author = {Catalin Cimpanu}, title = {{San Francisco 49ers confirm ransomware attack}}, date = {2022-02-13}, organization = {The Record}, url = {https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/}, language = {English}, urldate = {2022-02-14} } San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
@techreport{investigation:20220211:joint:3c91f4c, author = {Federal Bureau of Investigation and U.S. Secret Service (USSS)}, title = {{JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware}}, date = {2022-02-11}, institution = {}, url = {https://www.ic3.gov/Media/News/2022/220211.pdf}, language = {English}, urldate = {2022-02-14} } JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
@online{riper:20211130:proxyshell:060517d, author = {Harrison van Riper}, title = {{ProxyShell exploitation leads to BlackByte ransomware}}, date = {2021-11-30}, organization = {Red Canary}, url = {https://redcanary.com/blog/blackbyte-ransomware/}, language = {English}, urldate = {2021-12-06} } ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20211104:understanding:c22abf4, author = {Shaul Vilkomir-Preisman}, title = {{Understanding the Windows JavaScript Threat Landscape}}, date = {2021-11-04}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape}, language = {English}, urldate = {2021-11-19} } Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm FIN7
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20230715 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d4101 0f1f8000000000 4883f85b 0f8dc0000000 }
            // n = 4, score = 200
            //   488d4101             | or                  ebx, ecx
            //   0f1f8000000000       | movups              xmmword ptr [esp + 0x20], xmm0
            //   4883f85b             | movsd               qword ptr [esp + 0x40], xmm0
            //   0f8dc0000000         | movups              xmmword ptr [esp + 0x30], xmm1

        $sequence_1 = { 0bd1 8b4c244c 4103cf 450fb67b17 33d1 }
            // n = 5, score = 200
            //   0bd1                 | or                  edx, ecx
            //   8b4c244c             | mov                 ecx, dword ptr [esp + 0x4c]
            //   4103cf               | inc                 ecx
            //   450fb67b17           | add                 ecx, edi
            //   33d1                 | inc                 ebp

        $sequence_2 = { 488d0db4030000 488908 833d????????00 7520 }
            // n = 4, score = 200
            //   488d0db4030000       | dec                 eax
            //   488908               | mov                 edi, dword ptr [esp + 0x48]
            //   833d????????00       |                     
            //   7520                 | dec                 eax

        $sequence_3 = { 39580c 7516 44387ddf 740b 488b45c7 83a0a8030000fd 448bcb }
            // n = 7, score = 200
            //   39580c               | dec                 eax
            //   7516                 | mov                 esi, dword ptr [esp + 0x2e0]
            //   44387ddf             | movaps              xmm7, xmmword ptr [esp + 0x290]
            //   740b                 | movaps              xmm6, xmmword ptr [esp + 0x2a0]
            //   488b45c7             | dec                 esp
            //   83a0a8030000fd       | mov                 esi, dword ptr [esp + 0x2b0]
            //   448bcb               | dec                 eax

        $sequence_4 = { 488d5301 488b5c2468 488b742440 488b7c2448 }
            // n = 4, score = 200
            //   488d5301             | add                 esp, 0x2b8
            //   488b5c2468           | or                  edx, ecx
            //   488b742440           | mov                 ecx, dword ptr [esp + 0x4c]
            //   488b7c2448           | inc                 ecx

        $sequence_5 = { 0bd9 410fb64b28 450fb65b2f 41c1e308 }
            // n = 4, score = 200
            //   0bd9                 | cmp                 dword ptr [ebp + 0x74], esi
            //   410fb64b28           | jne                 0xb6
            //   450fb65b2f           | mov                 eax, dword ptr [ebp + 0x70]
            //   41c1e308             | dec                 esp

        $sequence_6 = { 397574 0f85ad000000 8b4570 4c8d4d58 }
            // n = 4, score = 200
            //   397574               | dec                 eax
            //   0f85ad000000         | lea                 edx, [eax + ebp*8]
            //   8b4570               | cmp                 dword ptr [esp + 0x78], esi
            //   4c8d4d58             | je                  0xc6

        $sequence_7 = { 488d442448 488d5c2438 31c9 31ff be02000000 }
            // n = 5, score = 200
            //   488d442448           | mov                 eax, ebx
            //   488d5c2438           | movaps              xmm7, xmmword ptr [esp + 0x290]
            //   31c9                 | movaps              xmm6, xmmword ptr [esp + 0x2a0]
            //   31ff                 | dec                 esp
            //   be02000000           | mov                 esi, dword ptr [esp + 0x2b0]

        $sequence_8 = { 39742478 0f8496000000 4883cdff 4c8bf5 }
            // n = 4, score = 200
            //   39742478             | mov                 dword ptr [esp + 0x48], esi
            //   0f8496000000         | dec                 eax
            //   4883cdff             | mov                 dword ptr [esp + 0x50], edi
            //   4c8bf5               | nop                 word ptr [eax + eax]

        $sequence_9 = { 0f28bc2490020000 0f28b424a0020000 4c8bb424b0020000 488bb424e0020000 }
            // n = 4, score = 200
            //   0f28bc2490020000     | inc                 ebp
            //   0f28b424a0020000     | movzx               edi, byte ptr [ebx + 0x17]
            //   4c8bb424b0020000     | xor                 edx, ecx
            //   488bb424e0020000     | inc                 ecx

        $sequence_10 = { 488d4b07 4889c3 488d442460 e8???????? }
            // n = 4, score = 200
            //   488d4b07             | dec                 eax
            //   4889c3               | lea                 eax, [esp + 0x48]
            //   488d442460           | dec                 eax
            //   e8????????           |                     

        $sequence_11 = { 396b68 0f8639010000 4889742448 48897c2450 }
            // n = 4, score = 200
            //   396b68               | mov                 esi, dword ptr [esp + 0x2e0]
            //   0f8639010000         | dec                 eax
            //   4889742448           | mov                 ebp, dword ptr [esp + 0x2d8]
            //   48897c2450           | cmp                 dword ptr [eax + 0xc], ebx

        $sequence_12 = { 488d0de5000000 488908 833d????????00 751d }
            // n = 4, score = 200
            //   488d0de5000000       | nop                 dword ptr [eax]
            //   488908               | dec                 eax
            //   833d????????00       |                     
            //   751d                 | mov                 ebx, dword ptr [edi]

        $sequence_13 = { 488d5c241d b911000000 e8???????? 488b6c2440 4883c448 c3 89f0 }
            // n = 7, score = 200
            //   488d5c241d           | dec                 eax
            //   b911000000           | lea                 edx, [ebx + 1]
            //   e8????????           |                     
            //   488b6c2440           | dec                 eax
            //   4883c448             | mov                 ebx, dword ptr [esp + 0x68]
            //   c3                   | dec                 eax
            //   89f0                 | mov                 esi, dword ptr [esp + 0x40]

        $sequence_14 = { 488d1592020000 4889542458 48894c2460 488d4c2458 }
            // n = 4, score = 200
            //   488d1592020000       | or                  ebx, ecx
            //   4889542458           | or                  ebx, ecx
            //   48894c2460           | inc                 ecx
            //   488d4c2458           | movzx               ecx, byte ptr [ebx + 0x28]

        $sequence_15 = { 0bd9 410fb64b29 c1e308 0bd9 }
            // n = 4, score = 200
            //   0bd9                 | dec                 esp
            //   410fb64b29           | lea                 eax, [ebp + 0x3e8]
            //   c1e308               | movaps              xmm7, xmmword ptr [esp + 0x290]
            //   0bd9                 | movaps              xmm6, xmmword ptr [esp + 0x2a0]

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules