{ "id": "4803f711-f619-444b-b0c4-ead888a640c0", "created_at": "2026-04-06T00:21:57.685653Z", "updated_at": "2026-04-10T03:31:48.780599Z", "deleted_at": null, "sha1_hash": "6656aaf905e375ab304fd89e17e58642a15518f3", "title": "Cyble - A Closer Look At BlackMagic Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1703731, "plain_text": "Cyble - A Closer Look At BlackMagic Ransomware\r\nPublished: 2022-12-07 · Archived: 2026-04-05 17:09:28 UTC\r\nCyble Analyzes BlackMagic, a ransomware strain disrupting Israel's Transportation and Logistics industries.\r\nNew Ransomware disrupting Transportation and Logistics Industry in Israel\r\nDuring a routine threat-hunting exercise, Cyble Research and Intelligence Labs  (CRIL) came across a new\r\nransomware group named “BlackMagic” ransomware. This ransomware group uses a double extortion technique\r\nto target its victims, in which it first exfiltrates the victim’s data, followed by encryption. This group has disclosed\r\ndetails of over ten victims to date, and all of them are from Israel, indicating the possibility that it is conducting\r\ntargeted attacks. This group is suspected to be originated from Iran.\r\nDuring our analysis, we found that the ransom note used by this gang does not have any crypto address or contact\r\ndetails for ransom payments. Instead, it contains links to social media channels used for advertising the victim’s\r\ndata, as shown in Figure 1. This indicates that the ransomware group is interested in selling the exfiltrated data\r\nrather than demanding money from its victims.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 1 of 10\n\nFigure 1 – BlackMagic Ransom Note\r\nThe Threat Actors (TA)s behind this group are using multiple cybercrime forums to sell the data obtained from\r\nthese attacks. TA claims to have 50GB of data from Israeli transportation companies. They also claimed that these\r\nattacks include sensitive data of over 65% of Israeli citizens. The figure below shows the post made by TA on a\r\ncybercrime forum.\r\n \r\nFigure 2 – BlackMagic’s TA Selling Data\r\nBlackMagic ransomware has targeted many companies from Israel’s Transportation and Logistics industry. The\r\ngroup claims to have hampered the logistics operation by destroying companies’ databases and changing the\r\nlading bills. The figure below shows the claims made by the ransomware group.\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 2 of 10\n\nFigure 3 – Targetting Transportation and Logistics Industry\r\nWe have also observed a few instances where this group defaced the victim’s website. The figure below shows the\r\nweb defacement done by the BlackMagic group.\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 3 of 10\n\nFigure 4 – Website Defacement\r\nThe ransomware payload comes from hxxp[:]//5.230.70[.]49/dll/microsoftupdatedefender[.]rar and the\r\nmicrosoftupdatedefender[.]rar file contains two files named “MicrosoftUpdate.dll” and “back.bmp”. The\r\nransomware DLL file is further dropped in the location\r\nC:\\Users\\Public\\Documents\\” and executed using rundll32.exe. We suspect this ransomware DLL could have been\r\ndropped and executed either manually or using other malware.\r\nTechnical Analysis\r\nThis ransomware group uses a 64-bit DLL file as its payload. File hash (SHA256:\r\n8f855ed4c2f17487bac5d5079437acd728ccd68d93b49ab2f5b6d6d2430da133).\r\nThis DLL file has only one exported function called Black. This function is responsible for executing the main\r\nfunctionalities of BlackMagic ransomware.\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 4 of 10\n\nFigure 5 – DLL Export\r\nUpon execution, the ransomware calls the Sleep() function several times to evade sandbox detection. For smooth\r\nencryption in the victim’s system, this ransomware kills specific processes using the command “taskkill /f /im\r\n\u003cprocess name\u003e*”. The ransomware has the following hardcoded process names in its binary for terminating\r\nthem.  \r\nteamview, anydesk, tnslsnr, vmware, nginx, httpd, docker, bak, site, db, postfix, imap, pop, clamav, qemu, cpanel,\r\nnote, powerpnt, winword, excel, exchange, sql, tomcat, apache, java, python, vee, post, mys, vmwp, virtualbox,\r\nvbox, sqlserver, mysqld, omtstreco, oracle, mongodb, invoice, inetpub\r\nThe figure below shows the part of the code responsible for killing processes.\r\nFigure 6 – Killing Processes\r\nAfter this, the ransomware executes the reg add command to disable the task manager by adding a key,\r\n“hkcu\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\policies\\\\system /v disabletaskmgr /t reg_dword /d 1 /f”.\r\nThe figure below shows the registry key added by the ransomware to disable the task manager.\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 5 of 10\n\nFigure 7 – Disabling Task Manager\r\nNext, the ransomware fetches the victim’s local IP address using the ipconfig command and forms the URL\r\n“hxxp[:]//5.230.70[.]49/api/public/api/test?ip=\u003cVictim’s local IP\u003e\r\n\u0026status=0\u0026cnt=100\u0026type=server\u0026num=11111170” and sends GET request to its remote server. The below\r\nimage shows the code snippet used by the ransomware for forming the URL to send a GET request.\r\nFigure 8 – Using ipconfig\r\nThe ransomware now calls the GetLogicalDriveStringsA() API to findthe attached drives in the victim’s system\r\nand enumerate files in the identified drive for encryption. Before processing files for encryption, it drops a ransom\r\nnote named “HackedByBlackMagic.txt” in all the folders. BlackMagic ransomware uses the Rijndael algorithm\r\nfor performing encryption. The figure below shows the implementation of the Rijndael encryption algorithm in the\r\nransomware binary.\r\nFigure 9 – Using Rijndael Encryption Algorithm\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 6 of 10\n\nAfter encrypting the victim’s files, it renames them by appending “.BlackMagic” as an extension. This\r\nransomware encrypts nearly all the files and excludes executable and DLL files in certain windows critical folders.\r\nThe figure below shows the encrypted files.\r\nFigure 10 – Appending “.BlackMagic” as an extension\r\nFinally, the ransomware creates a .bat file named “next.bat” in “C:\\Users\\Public\\Documents”, writes a sequence of\r\ncommands to it, and then executes it. The ransomware creates and executes “next.bat” to delete its traces after\r\nencrypting the files in the victim’s machine and changing the desktop background. The following table shows the\r\n.bat file commands along with their description.\r\nCommand Description\r\nping -n 4 127.0.0.1 Send 4 echo request to local host\r\nreg add \\hkey_current_user\\\\control panel\\\\desktop\\ /v\r\nwallpaper /t reg_sz /d C:\\\\Users\\\\Public\\\\Documents\\\\back.bmp\r\n/f\r\nAdds registry key for changing\r\ndesktop background\r\nping -n 3 127.0.0.1 Send 3 echo request to local host\r\ntaskkill /f /im rundll*\r\nKill all the processes beginning\r\nwith rundll\r\nping -n 5 127.0.0.1 Send 5 echo request to local host\r\ndel /F \\c:\\\\users\\\\public\\\\Documents\\\\MicrosoftUpdate.dll\\ Delete MicrosoftUpdate.dll\r\ndel /F\r\n\\c:\\\\users\\\\public\\\\Documents\\\\MicrosoftUpdate.dll.BlackMagic\\\r\nDelete\r\nMicrosoftUpdate.dll.BlackMagic\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 7 of 10\n\ndel /F \\c:\\\\users\\\\public\\\\Documents\\\\back.bmp\\ Delete back.bmp\r\nshutdown /r Restart system\r\ndel %0 Deletes Itself (the next.bat file)\r\nThe desktop wallpaper might not change for every victim as the ransomware deletes the back.bmp file using .bat\r\ncommands. The figure below shows the final state of the infected system with a changed background.\r\nFigure 11 – Changing the victim’s wallpaper\r\nConclusion\r\nBased on the activities of the BlackMagic ransomware group, we suspect them to be politically motivated, but it is\r\ncurrently unclear to predict how they will evolve in the future.\r\nIn 2021, Moses Staff hacking team surfaced, targeting Israel-based organizations. They were deploying\r\nransomware but were not demanding ransom payments and leaking victims’ data. BlackMagic also appears to\r\nhave similar techniques, but they appear to be financially motivated, as we witnessed them selling victims’ data.\r\nWe did not encounter any ransom demands made by this group to date, and the ransomware payload was\r\nencrypting .exe and .dll files which are atypical for ransomware to encrypt, indicating that TAs might be\r\ndeploying ransomware to disrupt operations.\r\nOur Recommendations\r\nThe following essential cybersecurity best practices create the first line of control against attackers. We\r\nrecommend that our readers follow best practices as given below:\r\nMonitor incoming emails from suspicious and potentially malicious domains.\r\nBack up data on different locations and implement Business Continuity Planning (BCP). Keep the Backup\r\nServers isolated from the infrastructure, which helps fast data recovery.\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 8 of 10\n\nFrequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including\r\nnetwork and software.\r\nEnforcement of VPN to safeguard endpoints.\r\nConduct frequent training on security awareness for the company’s employees to inform them about\r\nemerging threats.\r\nImplementation of technology to understand the behavior of the ransomware-malware families and variants\r\nto block malicious payloads and counter potential attacks.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nExecution T1059.003\r\nCommand and Scripting Interpreter: Windows\r\nCommand Shell\r\nDefensive Evasion T1218.011 System Binary Proxy Execution: Rundll32\r\nDiscovery T1016 System Network Configuration Discovery\r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol\r\nImpact\r\nT1486\r\nT1489\r\nT1529\r\nT1491\r\nData Encrypted for Impact\r\nService Stop\r\nSystem Shutdown/Reboot\r\nDefacement\r\nIndicators of compromise\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nbf647a66de004ae56ece7f18a8dfa0ed\r\naeadbc1254da9c1ec70ddf18cd8b5cda78d8daf6\r\naf80b807c797d4d5e8141f7d43f08e91181fb94029c84fd41786a883d09dc902\r\nMD5\r\nSHA-1\r\nSHA256\r\nBlackMagic\r\nDLL\r\n7b1fd05e9db5369c5b7ef82080fd0ca8\r\naea92bb857367e29183fe5c335a4c0cbda44eabf\r\n8f855ed4c2f17487bac5d5079437acd728ccd68d93b49ab2f5b6d6d2430da133\r\nMD5\r\nSHA-1\r\nSHA256\r\nBlackMagic\r\nDLL\r\n5[.]230.70[.]49 IP\r\nMalicious\r\nIP\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 9 of 10\n\nSource: https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nhttps://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/" ], "report_names": [ "a-closer-look-at-blackmagic-ransomware" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434917, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6656aaf905e375ab304fd89e17e58642a15518f3.pdf", "text": "https://archive.orkl.eu/6656aaf905e375ab304fd89e17e58642a15518f3.txt", "img": "https://archive.orkl.eu/6656aaf905e375ab304fd89e17e58642a15518f3.jpg" } }