{
	"id": "d2a4b1ba-86d8-4a62-962d-22d6b6d0a8f5",
	"created_at": "2026-04-06T00:21:41.200727Z",
	"updated_at": "2026-04-10T03:32:24.784426Z",
	"deleted_at": null,
	"sha1_hash": "6d31d31da7f9f705ca27b104dad14fa98098bd91",
	"title": "FBI: BlackByte ransomware breached US critical infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1205689,
	"plain_text": "FBI: BlackByte ransomware breached US critical infrastructure\r\nBy Sergiu Gatlan\r\nPublished: 2022-02-14 · Archived: 2026-04-05 19:23:44 UTC\r\nThe US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of\r\nat least three organizations from US critical infrastructure sectors in the last three months.\r\nThis was disclosed in a TLP:WHITE joint cybersecurity advisory released Friday in coordination with the US Secret\r\nService.\r\n\"As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in\r\nat least three US critical infrastructure sectors (government facilities, financial, and food \u0026 agriculture).,\" the federal law\r\nenforcement agency said [PDF].\r\nhttps://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems,\r\nincluding physical and virtual servers.\"\r\nThe advisory focuses on providing indicators of compromise (IOCs) that organizations can use to detect and defend against\r\nBlackByte's attacks.\r\nThe IOCs associated with BlackByte activity shared in the advisory include MD5 hashes of suspicious ASPX files\r\ndiscovered on compromised Microsoft Internet Information Services (IIS) servers and a list of commands the ransomware\r\noperators used during attacks.\r\nThe 49ers ransomware attack\r\nIn related news, NFL's San Francisco 49ers team revealed over the weekend that it's recovering from a BlackByte\r\nransomware attack.\r\nThe threat actors claimed the attack, saying that they also stole data from the football org's servers during the incident and\r\nleaked almost 300MB worth of files on their data leak blog.\r\nThe 49ers confirmed the ransomware attack in a statement to BleepingComputer and said it only caused a temporary\r\ndisruption to portions of its IT network.\r\nBlackByte ransomware operation has been active since at least July 2021, when it started targeting corporate victims\r\nworldwide.\r\nThis gang is known for exploiting software vulnerabilities (including Microsoft Exchange Server) to gain initial access to\r\ntheir enterprise targets' network, illustrating that keeping your servers updated will most likely block their attacks.\r\nIn October, cybersecurity firm Trustwave created and released a free BlackByte decryptor, enabling some victims to restore\r\ntheir files for free after the ransomware gang used the same decryption/encryption key in multiple attacks.\r\nThe two agencies also shared a list of measures that can help admins mitigate BlackByte attacks:\r\nImplement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these\r\ncopies are not accessible for modification or deletion from any system where the original data resides.\r\nImplement network segmentation, such that all machines on your network are not accessible from every other\r\nmachine.\r\nInstall and regularly update antivirus software on all hosts, and enable real time detection.\r\nInstall updates/patch operating systems, software, and firmware as soon as updates/patches are released.\r\nReview domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\r\nAudit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not\r\ngive all users administrative privileges.\r\nDisable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any\r\nunusual activity.\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nUse double authentication when logging into accounts or services.\r\nEnsure routine auditing is conducted for all accounts.\r\nEnsure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/"
	],
	"report_names": [
		"fbi-blackbyte-ransomware-breached-us-critical-infrastructure"
	],
	"threat_actors": [
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775791944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d31d31da7f9f705ca27b104dad14fa98098bd91.pdf",
		"text": "https://archive.orkl.eu/6d31d31da7f9f705ca27b104dad14fa98098bd91.txt",
		"img": "https://archive.orkl.eu/6d31d31da7f9f705ca27b104dad14fa98098bd91.jpg"
	}
}