{
	"id": "d75f4dd6-d67b-4458-a945-ff014408d574",
	"created_at": "2026-04-06T00:08:26.274055Z",
	"updated_at": "2026-04-10T13:12:09.345327Z",
	"deleted_at": null,
	"sha1_hash": "97b9b73bcd13d967adfe3815b9e57b90d31aa5ec",
	"title": "The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 557183,
	"plain_text": "The five-day job: A BlackByte ransomware intrusion case study |\r\nMicrosoft Security Blog\r\nBy Microsoft Incident Response\r\nPublished: 2023-07-06 · Archived: 2026-04-02 12:15:50 UTC\r\nAs ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations\r\nif organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as\r\nMicrosoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full\r\nattack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim\r\norganization.\r\nOur investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating\r\nin the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:\r\nExploitation of unpatched internet-exposed Microsoft Exchange Servers\r\nWeb shell deployment facilitating remote access\r\nUse of living-off-the-land tools for persistence and reconnaissance\r\nDeployment of Cobalt Strike beacons for command and control (C2)\r\nProcess hollowing and the use of vulnerable drivers for defense evasion\r\nDeployment of custom-developed backdoors to facilitate persistence\r\nDeployment of a custom-developed data collection and exfiltration tool\r\nFigure 1. BlackByte 2.0 ransomware attack chain\r\nIn this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the\r\nthreat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the\r\ncybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that\r\nprecede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing,\r\nidentifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We\r\nencourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date\r\nand configured securely. We also share indicators of compromise, detection details, and hunting guidance to help\r\norganizations identify and respond to these attacks in their environments.  \r\nForensic analysis\r\nInitial access and privilege escalation\r\nTo obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities\r\nCVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of\r\nthese vulnerabilities allowed the threat actor to:\r\nAttain system-level privileges on the compromised Exchange host\r\nEnumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users\r\nConstruct a valid authentication token and use it against the Exchange PowerShell backend\r\nImpersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet\r\nCreate web shells to obtain remote control on affected servers\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 1 of 15\n\nThe threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:\r\n185.225.73[.]244\r\nPersistence\r\nBackdoor\r\nAfter gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user\r\nsigns in:\r\nRegistry key Value name Value data\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\n  MsEdgeMsE\r\nrundll32\r\nC:UsersuserDownloadsapi-msvc.dll,Default  \r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\n  MsEdgeMsE\r\nrundll32 C:tempapi-msvc.dll,Default  \r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\n  MsEdgeMsE\r\nrundll32 C:systemtestapi-system.png,Default\r\nThe file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was\r\ndetermined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name,\r\nand IP address. This information is then sent via HTTP POST request to the following C2 channel:\r\nhxxps://myvisit[.]alteksecurity[.]org/t\r\nThe organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as\r\nthe primary antivirus solution, and the backdoor was allowed to run.\r\nAn additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the\r\nsame default export function, and also leveraged run keys for persistence.\r\nCobalt Strike Beacon\r\nThe threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256:\r\n5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as\r\nTrojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file\r\nsharing service temp[.]sh:\r\nhxxps://temp[.]sh/szAyn/sys.exe\r\nThis beacon was configured to communicate with the following C2 channel:\r\n109.206.243[.]59:443\r\nAnyDesk\r\nThreat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat\r\nactor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network.\r\nAnyDesk was installed as a service and was run from the following paths:\r\nC:systemtestanydeskAnyDesk.exe\r\nC:Program Files (x86)AnyDeskAnyDesk.exe\r\nC:ScriptsAnyDesk.exe\r\nSuccessful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses\r\nlinked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.\r\nReconnaissance\r\nWe found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform\r\nnetwork enumeration using the following file names:\r\nnetscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)\r\nnetapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)\r\nAdditionally, execution of AdFind (SHA-256:\r\nf157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 2 of 15\n\nobserved in the environment.\r\nCredential access\r\nEvidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file\r\nmimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.\r\nLateral movement\r\nUsing compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell\r\nremoting to obtain access to other servers in the environment, including domain controllers.\r\nData staging and exfiltration\r\nIn one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified,\r\ndetected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on\r\nthis server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the\r\nfile using the following command:\r\nexplorer.exe P@$$w0rd\r\nAfter reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used\r\nin BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of\r\nenumerating files of interest across the network and, upon execution, creates a log file containing a list of files and\r\nassociated metadata. Multiple log files were uncovered during the investigation in the path:\r\nC:ExchangeMSExchLog.log\r\nAnalysis of the binary revealed a list of file extensions that are targeted for enumeration.\r\nFigure 2. Binary analysis showing file extensions enumerated by explorer.exe\r\nForensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file\r\ncontained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using\r\nthe platform’s API at:\r\nhxxps://g.api.mega.co[.]nz\r\nFigure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ\r\nWe also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device\r\nname belonging to the victim and an internal IP address.\r\nExByte execution flow\r\nUpon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading\r\n\\.PHYSICALDRIVE0:\r\nIf this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with\r\nelevated privileges.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 3 of 15\n\nAfter this access check, explorer.exe attempts to read the data.txt file in the current location:\r\nIf the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:\r\nC:Windowssystem32cmd.exe /c ping 1.1.1.1 -n 10 \u003e nul \u0026 Del \u003cpath\u003eexplorer.exe /F /Q\r\n\u003c/path\u003e\r\nIf data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data\r\nusing the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login\r\nfunction:\r\n{\r\n“a”:”us0”,\r\n“user”:”\u003ccontent from=\"\" data.txt=\"\"\u003e”\r\n}\r\n\u003c/content\u003e\r\nFinally, it forms a URL for sign-in to the API of the service MEGA NZ:\r\nhxxps://g.api.mega.co[.]nz/cs?id=1674017543\r\nData encryption and destruction\r\nOn devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender\r\nAntivirus as Trojan:Win64/BlackByte!MSR, with the following names:\r\nwEFT.exe\r\nschillerized.exe\r\nThe files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The\r\nbinaries require an 8-digit key number to encrypt files.\r\nTwo modes of execution were identified:\r\nWhen the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.\r\nWhen the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable\r\n(UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in\r\nthe binary, facilitating the deployment of the binary across the network.\r\nDepending on the switch (-s or -a), execution may create the following files:\r\nC:SystemDataM8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256:\r\nba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)\r\nC:SystemDatawEFT.exe (Additional BlackByte binary)\r\nC:SystemDataMsExchangeLog1.log (Log file)\r\nC:SystemDatarENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by\r\ninstalled antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)\r\nC:SystemDataiHu6c4.ico (Random name – BlackBytes icon)\r\nC:SystemDataBB_Readme_file.txt (BlackByte ReadMe file)\r\nC:SystemDataskip_bypass.txt (Unknown)\r\nBlackByte 2.0 ransomware capabilities\r\nSome capabilities identified for the BlackByte 2.0 ransomware were:\r\nAntivirus bypass\r\nThe file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows\r\nany authenticated user to read or write to arbitrary memory\r\nThe BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits\r\nthis service to evade detection by installed antivirus software\r\nProcess hollowing\r\nInvokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following\r\ncommand:\r\ncmd.exe /c ping 1.1.1.1 -n 10 \u003e Nul \u0026 Del “PATH_TO_BLACKBYTE” /F /Q\r\nModification / disabling of Windows Firewall\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 4 of 15\n\nThe following commands are executed to either modify existing Windows Firewall rules, or to disable\r\nWindows Firewall entirely:\r\ncmd /c netsh advfirewall set allprofiles state off\r\ncmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes\r\ncmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes\r\nModification of volume shadow copies\r\nThe following commands are executed to destroy volume shadow copies on the machine:\r\ncmd /c vssadmin Resize ShadowStorge /For=B: /On=B: /MaxSize=401MB\r\ncmd /c vssadmin Resize ShadowStorage /For=B: /On=B: /MaxSize=UNBOUNDED\r\nModification of registry keys/values\r\nThe following commands are executed to modify the registry, facilitating elevated execution on the device:\r\ncmd /c reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v\r\nLocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\r\ncmd /c reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v\r\nEnableLinkedConnections /t REG_DWORD /d 1 /f\r\ncmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t\r\nREG_DWORD /d 1 /f\r\nAdditional functionality\r\nAbility to terminate running services and processes\r\nAbility to enumerate and mount volumes and network shares for encryption\r\nPerform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01\r\n00:00:00)\r\nAbility to perform anti-debugging techniques\r\nRecommendations\r\nTo guard against BlackByte ransomware attacks, Microsoft recommends the following:\r\nEnsure that you have a patch management process in place and that patching for internet-exposed devices is\r\nprioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment\r\ntools like Microsoft Defender Vulnerability Management\r\nImplement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility\r\ninto malicious activity in real time across your network\r\nEnsure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus\r\nsolution is configured to block threats\r\nEnable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled\r\nBlock inbound traffic from IPs specified in the indicators of compromise section of this report\r\nBlock inbound traffic from TOR exit nodes\r\nBlock inbound access from unauthorized public VPN services\r\nRestrict administrative privileges to prevent authorized system changes\r\nConclusion\r\nBlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities.  As outlined in\r\nthe Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could\r\nprotect against 98% of attacks.\r\nAs new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is\r\nnecessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to\r\nevade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to\r\ndetect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security\r\ntools alerts and incidents.\r\nTo understand how Microsoft can help you secure your network and respond to network compromise, visit\r\nhttps://aka.ms/MicrosoftIR.\r\nMicrosoft 365 Defender detections\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects this threat as the following malware:\r\nTrojan:Win32/Kovter!MSR\r\nTrojan:Win64/WinGoObfusc.LK!MT\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 5 of 15\n\nTrojan:Win64/BlackByte!MSR\r\nHackTool:Win32/AdFind!MSR\r\nTrojan:Win64/CobaltStrike!MSR\r\nMicrosoft Defender for Endpoint\r\nThe following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered\r\nby unrelated threat activity.\r\n‘CVE-2021-31207’ exploit malware was detected\r\nAn active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.\r\nSuspicious registry modification.\r\n‘Rtcore64’ hacktool was detected\r\nPossible ongoing hands-on-keyboard activity (Cobalt Strike)\r\nA file or network connection related to a ransomware-linked emerging threat activity group detected\r\nSuspicious sequence of exploration activities\r\nA process was injected with potentially malicious code\r\nSuspicious behavior by cmd.exe was observed\r\n‘Blackbyte’ ransomware was detected\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in\r\nthis threat:\r\nCVE-2021-34473\r\nCVE-2021-34523\r\nCVE-2021-31207\r\nCVE-2019-16098\r\nHunting queries\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\r\nProxyShell web shell creation events\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_any (\"ExcludeDumpster\",\"New-ExchangeCertificate\") and ProcessCommandLine\r\nhas_any (\"-RequestFile\",\"-FilePath\")\r\nSuspicious vssadmin events\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_any (\"vssadmin\",\"vssadmin.exe\") and ProcessCommandLine has \"Resize\r\nShadowStorage\" and ProcessCommandLine has_any (\"MaxSize=401MB\",\" MaxSize=UNBOUNDED\")\r\nDetection for persistence creation using Registry Run keys\r\nDeviceRegistryEvents\r\n| where ActionType == \"RegistryValueSet\"\r\n| where (RegistryKey has @\"MicrosoftWindowsCurrentVersionRunOnce\" and RegistryValueName == \"MsEdgeMsE\")\r\nor (RegistryKey has @\"MicrosoftWindowsCurrentVersionRunOnceEx\" and RegistryValueName == \"MsEdgeMsE\")\r\nor (RegistryKey has @\"MicrosoftWindowsCurrentVersionRun\" and RegistryValueName == \"MsEdgeMsE\")\r\n| where RegistryValueData startswith @\"rundll32\"\r\n| where RegistryValueData endswith @\".dll,Default\"\r\n| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 6 of 15\n\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found\r\nhere:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post\r\nexploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\r\nProxyShell\r\nWeb shell activity\r\nSuspicious file downloads on Exchange Servers\r\nFirewall rule changes\r\nShadow copy deletion\r\nAnamolous RDP activity\r\nIndicators of compromise\r\nThe table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators\r\nin their environments and implement detections and protections to identify past related activity and prevent future attacks\r\nagainst their systems.\r\nIndicator Type Description\r\n4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e\r\nSHA-256\r\napi-msvc.dll (Backdoor\r\ninstalled through\r\nRunKeys)\r\n5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103\r\nSHA-256sys.exe (Cobalt Strike\r\nBeacon)\r\n01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd\r\nSHA-256\r\nrENEgOtiAtES\r\n(Vulnerable driver\r\nRtCore64.sys created by\r\nBlackByte binary)\r\nba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f\r\nSHA-256\r\n[RANDOM_NAME].exe\r\n(UPX Packed PsExec\r\ncreated by BlackByte\r\nbinary)\r\n1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e\r\nSHA-256\r\n“netscan.exe”,\r\n“netapp.exe (Netscan\r\nnetwork discovery tool)\r\nf157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e\r\nSHA-256\r\nAdFind.exe (Active\r\nDirectory information\r\ngathering tool)\r\nhxxps://myvisit[.]alteksecurity[.]org/t URL\r\nC2 for backdoor api-msvc.dll\r\nhxxps://temp[.]sh/szAyn/sys.exe URL\r\nDownload URL for\r\nsys.exe\r\n109.206.243[.]59\r\nIP\r\nAddress\r\nC2 for Cobalt Strike\r\nBeacon sys.exe\r\n185.225.73[.]244\r\nIP\r\nAddress\r\nOriginating IP address\r\nfor ProxyShell\r\nexploitation and web\r\nshell interaction\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nAppendix\r\nFile extensions targeted by BlackByte binary for encryption:\r\n.4dd .4dl .accdb .accdc .accde .accdr .accdt .accft\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 7 of 15\n\n.adb .ade .adf .adp .arc .ora .alf .ask\r\n.btr .bdf .cat .cdb .ckp .cma .cpd .dacpac\r\n.dad .dadiagrams .daschema .db .db-shm .db-wal .db3 .dbc\r\n.dbf .dbs .dbt .dbv . dbx . dcb . dct . dcx\r\n. ddl . dlis . dp1 . dqy . dsk . dsn . dtsx . dxl\r\n. eco . ecx . edb . epim . exb . fcd . fdb . fic\r\n. fmp . fmp12 . fmpsl . fol .fp3 . fp4 . fp5 . fp7\r\n. fpt . frm . gdb . grdb . gwi . hdb . his . ib\r\n. idb . ihx . itdb . itw . jet . jtx . kdb . kexi\r\n. kexic . kexis . lgc . lwx . maf . maq . mar . masmav\r\n. mdb . mpd . mrg . mud . mwb . myd . ndf . nnt\r\n. nrmlib . ns2 . ns3 . ns4 . nsf . nv . nv2 . nwdb\r\n. nyf . odb . ogy . orx . owc . p96 . p97 . pan\r\n. pdb . pdm . pnz . qry . qvd . rbf . rctd . rod\r\n. rodx . rpd . rsd . sas7bdat . sbf . scx . sdb . sdc\r\n. sdf . sis . spg . sql . sqlite . sqlite3 . sqlitedb . te\r\n. temx . tmd . tps . trc . trm . udb . udl . usr\r\n. v12 . vis . vpd . vvv . wdb . wmdb . wrk . xdb\r\n. xld . xmlff . abcddb . abs . abx . accdw . and . db2\r\n. fm5 . hjt . icg . icr . kdb . lut . maw . mdn\r\n. mdt              \r\nShared folders targeted for encryption (Example: \\[IP address]Downloads):\r\nUsers Backup Veeam homes home\r\nmedia common Storage Server Public Web\r\nImages Downloads BackupData ActiveBackupForBusiness Backups\r\nNAS-DC DCBACKUP DirectorFiles share  \r\nFile extensions ignored:\r\n.ini .url .msilog .log .ldf .lock .theme .msi\r\n.sys .wpx .cpl .adv .msc .scr .key .ico\r\n.dll .hta .deskthemepack .nomedia .msu .rtp .msp .idx\r\n.ani .386 .diagcfg .bin .mod .ics .com .hlp\r\n .spl .nls .cab .exe .diagpkg .icl .ocx .rom\r\n.prf .thempack .msstyles .icns .mpa .drv .cur .diagcab\r\n.cmd .shs            \r\nFolders ignored:\r\nwindows boot program files (x86) windows.old programdata\r\nintel bitdefender trend micro windowsapps appdata\r\napplication data system volume information perflogs msocache  \r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 8 of 15\n\nFiles ignored:\r\nbootnxt ntldr bootmgr thumbs.db\r\nntuser.dat bootsect.bak autoexec.bat iconcache.db\r\nbootfont.bin      \r\nProcesses terminated:\r\nteracopy teamviewer nsservice nsctrl uranium\r\nprocesshacker procmon pestudio procmon64 x32dbg\r\nx64dbg cff explorer procexp pslist tcpview\r\ntcpvcon dbgview rammap rammap64 vmmap\r\nollydbg autoruns autorunssc filemon regmon\r\nidaq idaq64 immunitydebugger wireshark dumpcap\r\nhookexplorer importrec petools lordpe sysinspector\r\nproc_analyzer sysanalyzer sniff_hit windbg joeboxcontrol\r\njoeboxserver resourcehacker fiddler httpdebugger dumpit\r\nrammap rammap64 vmmap agntsvc cntaosmgr\r\ndbeng50 dbsnmp encsvc infopath isqlplussvc\r\nmbamtray msaccess msftesql mspub mydesktopqos\r\nmydesktopservice mysqld mysqld-nt mysqld-opt Ntrtscan\r\nocautoupds ocomm ocssd onenote oracle\r\noutlook PccNTMon powerpnt sqbcoreservice sql\r\nsqlagent sqlbrowser sqlservr sqlwriter steam\r\nsynctime tbirdconfig thebat thebat64 thunderbird\r\ntmlisten visio winword wordpad xfssvccon\r\nzoolz        \r\nServices terminated:\r\nCybereasonRansomFree vnetd bpcd SamSs TeraCopyService\r\nmsftesql nsService klvssbridge64 vapiendpoint ShMonitor\r\nSmcinst SmcService SntpService svcGenericHost Swi_\r\nTmCCSF tmlisten TrueKey TrueKeyScheduler TrueKeyServiceHelper\r\nWRSVC McTaskManager OracleClientCache80 mfefire wbengine\r\nmfemms RESvc mfevtp sacsvr SAVAdminService\r\nSepMasterService PDVFSService ESHASRV SDRSVC FA_Scheduler\r\nKAVFS KAVFS_KAVFSGT kavfsslp klnagent macmnsvc\r\nmasvc MBAMService MBEndpointAgent McShield audioendpointbuilder\r\nAntivirus AVP DCAgent bedbg EhttpSrv\r\nMMS ekrn EPSecurityService EPUpdateService ntrtscan\r\nEsgShKernel msexchangeadtopology AcrSch2Svc MSOLAP$TPSAMA\r\nIntel(R) PROSet\r\nMonitoring\r\nmsexchangeimap4 ARSM unistoresvc_1af40a ReportServer$TPS MSOLAP$SYSTEM_BG\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 9 of 15\n\nW3Svc MSExchangeSRS ReportServer$TPSAMA Zoolz 2 Service MSOLAP$TPS\r\naphidmonitorservice SstpSvc MSExchangeMTA ReportServer$SYSTEM_BGC\r\nSymantec System\r\nRecovery\r\nUI0Detect MSExchangeSA MSExchangeIS ReportServer MsDtsServer110\r\nPOP3Svc MSExchangeMGMT SMTPSvc MsDtsServer IisAdmin\r\nMSExchangeES EraserSvc11710\r\nEnterprise Client\r\nService\r\nMsDtsServer100 NetMsmqActivator\r\nstc_raw_agent VSNAPVSS PDVFSService AcrSch2Svc Acronis\r\nCASAD2DWebSvc CAARCUpdateSvc McAfee avpsus DLPAgentService\r\nmfewc BMR Boot Service DefWatch ccEvtMgr ccSetMgr\r\nSavRoam RTVsc screenconnect ransom sqltelemetry msexch\r\nvnc teamviewer msolap veeam backup\r\nsql memtas vss sophos svc$\r\nmepocs wuauserv      \r\nDrivers that Blackbyte can bypass:\r\n360avflt.sys 360box.sys 360fsflt.sys 360qpesv.sys 5nine.cbt\r\na2acc.sys a2acc64.sys a2ertpx64.sys a2ertpx86.sys a2gffi64.\r\na2gffx64.sys a2gffx86.sys aaf.sys aalprotect.sys abrpmon\r\naccessvalidator.sys acdriver.sys acdrv.sys adaptivaclientcache32.sys adaptivac\r\nadcvcsnt.sys adspiderdoc.sys aefilter.sys agentrtm64.sys agfsmon\r\nagseclock.sys agsyslock.sys ahkamflt.sys ahksvpro.sys ahkusbfw\r\nahnrghlh.sys aictracedrv_am.sys airship-filter.sys ajfsprot.sys alcapture\r\nalfaff.sys altcbt.sys amfd.sys amfsm.sys amm646\r\namm8660.sys amsfilter.sys amznmon.sys antileakfilter.sys antispyfi\r\nanvfsm.sys apexsqlfilterdriver.sys appcheckd.sys appguard.sys appvmon\r\narfmonnt.sys arta.sys arwflt.sys asgard.sys ashavsca\r\nasiofms.sys aswfsblk.sys aswmonflt.sys aswsnx.sys aswsp.sy\r\naszfltnt.sys atamptnt.sys atc.sys atdragent.sys atdragent\r\naternityregistryhook.sys atflt.sys atrsdfw.sys auditflt.sys aupdrv.sy\r\navapsfd.sys avc3.sys avckf.sys avfsmn.sys avgmfi64\r\navgmfrs.sys avgmfx64.sys avgmfx86.sys avgntflt.sys avgtpx64\r\navgtpx86.sys avipbb.sys avkmgr.sys avmf.sys awarecor\r\naxfltdrv.sys axfsysmon.sys ayfilter.sys b9kernel.sys backupre\r\nbamfltr.sys bapfecpt.sys bbfilter.sys bd0003.sys bddevflt.\r\nbdfiledefend.sys bdfilespy.sys bdfm.sys bdfsfltr.sys bdprivmo\r\nbdrdfolder.sys bdsdkit.sys bdsfilter.sys bdsflt.sys bdsvm.sy\r\nbdsysmon.sys bedaisy.sys bemk.sys bfaccess.sys bfilter.sy\r\nbfmon.sys bhdrvx64.sys bhdrvx86.sys bhkavka.sys bhkavki.\r\nbkavautoflt.sys bkavsdflt.sys blackbirdfsa.sys blackcat.sys bmfsdrv.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 10 of 15\n\nbmregdrv.sys boscmflt.sys bosfsfltr.sys bouncer.sys boxifier.s\r\nbrcow_x_x_x_x.sys brfilter.sys brnfilelock.sys brnseclock.sys browserm\r\nbsrfsflt.sys bssaudit.sys bsyaed.sys bsyar.sys bsydf.sys\r\nbsyirmf.sys bsyrtm.sys bsysp.sys bsywl.sys bwfsdrv.\r\nbzsenspdrv.sys bzsenth.sys bzsenyaradrv.sys caadflt.sys caavfltr.s\r\ncancelsafe.sys carbonblackk.sys catflt.sys catmf.sys cbelam.s\r\ncbfilter20.sys cbfltfs4.sys cbfsfilter2017.sys cbfsfilter2020.sys cbsample\r\ncdo.sys cdrrsflt.sys cdsgfsfilter.sys centrifyfsf.sys cfrmd.sy\r\ncfsfdrv cgwmf.sys change.sys changelog.sys chemome\r\nciscoampcefwdriver.sys ciscoampheurdriver.sys ciscosam.sys clumiochangeblockmf.sys cmdccav\r\ncmdcwagt.sys cmdguard.sys cmdmnefs.sys cmflt.sys code42fi\r\ncodex.sys conduantfsfltr.sys containermonitor.sys cpavfilter.sys cpavkern\r\ncpepmon.sys crexecprev.sys crncache32.sys crncache64.sys crnsysm.\r\ncruncopy.sys csaam.sys csaav.sys csacentr.sys csaenh.sy\r\ncsagent.sys csareg.sys csascr.sys csbfilter.sys csdevicec\r\ncsfirmwareanalysis.sys csflt.sys csmon.sys cssdlp.sys ctamflt.sy\r\nctifile.sys ctinet.sys ctrpamon.sys ctx.sys cvcbt.sys\r\ncvofflineflt32.sys cvofflineflt64.sys cvsflt.sys cwdriver.sys cwmem2\r\ncybkerneltracker.sys cylancedrv64.sys cyoptics.sys cyprotectdrv32.sys cyprotect\r\ncytmon.sys cyverak.sys cyvrfsfd.sys cyvrlpc.sys cyvrmtgn\r\ndatanow_driver.sys dattofsf.sys da_ctl.sys dcfafilter.sys dcfsgrd.s\r\ndcsnaprestore.sys deepinsfs.sys delete_flt.sys devmonminifilter.sys dfmfilter\r\ndgedriver.sys dgfilter.sys dgsafe.sys dhwatchdog.sys diflt.sys\r\ndiskactmon.sys dkdrv.sys dkrtwrt.sys dktlfsmf.sys dnafsmon\r\ndocvmonk.sys docvmonk64.sys dpmfilter.sys drbdlock.sys drivesent\r\ndrsfile.sys drvhookcsmf.sys drvhookcsmf_amd64.sys drwebfwflt.sys drwebfw\r\ndsark.sys dsdriver.sys dsfemon.sys dsflt.sys dsfltfs.sy\r\ndskmn.sys dtdsel.sys dtpl.sys dwprot.sys dwshield\r\ndwshield64.sys eamonm.sys easeflt.sys easyanticheat.sys eaw.sys\r\necatdriver.sys edevmon.sys ednemfsfilter.sys edrdrv.sys edrsenso\r\nedsigk.sys eectrl.sys eetd32.sys eetd64.sys eeyehv.sy\r\neeyehv64.sys egambit.sys egfilterk.sys egminflt.sys egnfsflt.s\r\nehdrv.sys elock2fsctldriver.sys emxdrv2.sys enigmafilemondriver.sys enmon.sy\r\nepdrv.sys epfw.sys epfwwfp.sys epicfilter.sys epklib.sy\r\nepp64.sys epregflt.sys eps.sys epsmn.sys equ8_hel\r\neraser.sys esensor.sys esprobe.sys estprmon.sys estprp.sy\r\nestregmon.sys estregp.sys estrkmon.sys estrkr.sys eventmon\r\nevmf.sys evscase.sys excfs.sys exprevdriver.sys failattach\r\nfailmount.sys fam.sys fangcloud_autolock_driver.sys fapmonitor.sys farflt.sys\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 11 of 15\n\nfarwflt.sys fasdriver fcnotify.sys fcontrol.sys fdrtrace.s\r\nfekern.sys fencry.sys ffcfilt.sys ffdriver.sys fildds.sys\r\nfilefilter.sys fileflt.sys fileguard.sys filehubagent.sys filemon.s\r\nfilemonitor.sys filenamevalidator.sys filescan.sys filesharemon.sys filesightm\r\nfilesystemcbt.sys filetrace.sys file_monitor.sys file_protector.sys file_track\r\nfilrdriver.sys fim.sys fiometer.sys fiopolicyfilter.sys fjgsdis2.s\r\nfjseparettifilterredirect.sys flashaccelfs.sys flightrecorder.sys fltrs329.sys flyfs.sys\r\nfmdrive.sys fmkkc.sys fmm.sys fortiaptfilter.sys fortimon\r\nfortirmon.sys fortishield.sys fpav_rtp.sys fpepflt.sys fsafilter.s\r\nfsatp.sys fsfilter.sys fsgk.sys fshs.sys fsmon.sy\r\nfsmonitor.sys fsnk.sys fsrfilter.sys fstrace.sys fsulgk.sy\r\nfsw31rj1.sys gagsecurity.sys gbpkm.sys gcffilter.sys gddcv.sy\r\ngefcmp.sys gemma.sys geprotection.sys ggc.sys gibepcor\r\ngkff.sys gkff64.sys gkpfcb.sys gkpfcb64.sys gofsmf.sy\r\ngpminifilter.sys groundling32.sys groundling64.sys gtkdrv.sys gumhfilte\r\ngzflt.sys hafsnk.sys hbflt.sys hbfsfltr.sys hcp_kern\r\nhdcorrelatefdrv.sys hdfilemon.sys hdransomoffdrv.sys hdrfs.sys heimdall\r\nhexisfsmonitor.sys hfileflt.sys hiofs.sys hmpalert.sys hookcent\r\nhooksys.sys hpreg.sys hsmltmon.sys hsmltwhl.sys hssfwhl.s\r\nhvlminifilter.sys ibr2fsk.sys iccfileioad.sys iccfilteraudit.sys iccfilters\r\nicfclientflt.sys icrlmonitor.sys iderafilterdriver.sys ielcp.sys ieslp.sys\r\nifs64.sys ignis.sys iguard.sys iiscache.sys ikfilesec.\r\nim.sys imffilter.sys imfilter.sys imgguard.sys immflex.\r\nimmunetprotect.sys immunetselfprotect.sys inisbdrv64.sys ino_fltr.sys intelcas.s\r\nintmfs.sys inuse.sys invprotectdrv.sys invprotectdrv64.sys ionmonw\r\niothorfs.sys ipcomfltr.sys ipfilter.sys iprotect.sys iridiumsw\r\nirongatefd.sys isafekrnl.sys isafekrnlmon.sys isafermon isecureflt\r\nisedrv.sys isfpdrv.sys isirmfmon.sys isregflt.sys isregflt64\r\nissfltr.sys issregistry.sys it2drv.sys it2reg.sys ivappmo\r\niwdmfs.sys iwhlp.sys iwhlp2.sys iwhlpxp.sys jdppsf.sy\r\njdppwf.sys jkppob.sys jkppok.sys jkpppf.sys jkppxk.sy\r\nk7sentry.sys kavnsi.sys kawachfsminifilter.sys kc3.sys kconv.sy\r\nkernelagent32.sys kewf.sys kfac.sys kfileflt.sys kisknl.sy\r\nklam.sys klbg.sys klboot.sys kldback.sys kldlinf.sy\r\nkldtool.sys klfdefsf.sys klflt.sys klgse.sys klhk.sys\r\nklif.sys klifaa.sys klifks.sys klifsm.sys klrsps.sy\r\nklsnsr.sys klupd_klif_arkmon.sys kmkuflt.sys kmnwch.sys kmxagen\r\nkmxfile.sys kmxsbx.sys ksfsflt.sys ktfsfilter.sys ktsyncfsf\r\nkubwksp.sys lafs.sys lbd.sys lbprotect.sys lcgadmon\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 12 of 15\n\nlcgfile.sys lcgfilemon.sys lcmadmon.sys lcmfile.sys lcmfilem\r\nlcmprintmon.sys ldsecdrv.sys libwamf.sys livedrivefilter.sys llfilter.sy\r\nlmdriver.sys lnvscenter.sys locksmith.sys lragentmf.sys lrtp.sys\r\nmagicbackupmonitor.sys magicprotect.sys majoradvapi.sys marspy.sys maxcryp\r\nmaxproc64.sys maxprotector.sys mbae64.sys mbam.sys mbamcha\r\nmbamshuriken.sys mbamswissarmy.sys mbamwatchdog.sys mblmon.sys mcfilemo\r\nmcfilemon64.sys mcstrg.sys mearwfltdriver.sys message.sys mfdriver\r\nmfeaack.sys mfeaskm.sys mfeavfk.sys mfeclnrk.sys mfeelam\r\nmfefirek.sys mfehidk.sys mfencbdc.sys mfencfilter.sys mfencoas\r\nmfencrk.sys mfeplk.sys mfewfpk.sys miniicpt.sys minispy.s\r\nminitrc.sys mlsaff.sys mmpsy32.sys mmpsy64.sys monsterk\r\nmozycorpfilter.sys mozyenterprisefilter.sys mozyentfilter.sys mozyhomefilter.sys mozynex\r\nmozyoemfilter.sys mozyprofilter.sys mpfilter.sys mpkernel.sys mpksldrv\r\nmpxmon.sys mracdrv.sys mrxgoogle.sys mscan-rt.sys msiodrv4\r\nmsixpackagingtoolmonitor.sys msnfsflt.sys mspy.sys mssecflt.sys mtsvcdf.\r\nmumdi.sys mwac.sys mwatcher.sys mwfsmfltr.sys mydlpmf\r\nnamechanger.sys nanoavmf.sys naswsp.sys ndgdmk.sys neokerby\r\nnetaccctrl.sys netaccctrl64.sys netguard.sys netpeeker.sys ngscan.sy\r\nnlcbhelpi64.sys nlcbhelpx64.sys nlcbhelpx86.sys nlxff.sys nmlhssrv\r\nnmpfilter.sys nntinfo.sys novashield.sys nowonmf.sys npetw.sy\r\nnprosec.sys npxgd.sys npxgd64.sys nravwka.sys nrcomgrd\r\nnrcomgrdki.sys nregsec.sys nrpmonka.sys nrpmonki.sys nsminflt.\r\nnsminflt64.sys ntest.sys ntfsf.sys ntguard.sys ntps_fa.s\r\nnullfilter.sys nvcmflt.sys nvmon.sys nwedriver.sys nxfsmon\r\nnxrmflt.sys oadevice.sys oavfm.sys oczminifilter.sys odfsfilter\r\nodfsfimfilter.sys odfstokenfilter.sys offsm.sys omfltlh.sys osiris.sys\r\nospfile_mini.sys ospmon.sys parity.sys passthrough.sys path8flt.s\r\npavdrv.sys pcpifd.sys pctcore.sys pctcore64.sys pdgenfam\r\npecfilter.sys perfectworldanticheatsys.sys pervac.sys pfkrnl.sys pfracdrv.\r\npgpfs.sys pgpwdefs.sys phantomd.sys phdcbtdrv.sys pkgfilter.\r\npkticpt.sys plgfltr.sys plpoffdrv.sys pointguardvista64f.sys pointgua\r\npointguardvistar32.sys pointguardvistar64.sys procmon11.sys proggerdriver.sys psacfilea\r\npscff.sys psgdflt.sys psgfoctrl.sys psinfile.sys psinproc\r\npsisolator.sys pwipf6.sys pwprotect.sys pzdrvxp.sys qdocume\r\nqfapflt.sys qfilter.sys qfimdvr.sys qfmon.sys qminspec\r\nqmon.sys qqprotect.sys qqprotectx64.sys qqsysmon.sys qqsysmo\r\nqutmdrv.sys ranpodfs.sys ransomdefensexxx.sys ransomdetect.sys reaqtor.sy\r\nredlight.sys regguard.sys reghook.sys regmonex.sys repdrv.sy\r\nrepmon.sys revefltmgr.sys reveprocprotection.sys revonetdriver.sys rflog.sys\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 13 of 15\n\nrgnt.sys rmdiskmon.sys rmphvmonitor.sys rpwatcher.sys rrmon32\r\nrrmon64.sys rsfdrv.sys rsflt.sys rspcrtw.sys rsrtw.sys\r\nrswctrl.sys rswmon.sys rtologon.sys rtw.sys ruaff.sys\r\nrubrikfileaudit.sys ruidiskfs.sys ruieye.sys ruifileaccess.sys ruimachi\r\nruiminispy.sys rvsavd.sys rvsmon.sys rw7fsflt.sys rwchange\r\nryfilter.sys ryguard.sys safe-agent.sys safsfilter.sys sagntflt.s\r\nsahara.sys sakfile.sys sakmfile.sys samflt.sys samsung\r\nsanddriver.sys santa.sys sascan.sys savant.sys savonacc\r\nscaegis.sys scauthfsflt.sys scauthiodrv.sys scensemon.sys scfltr.sys\r\nscifsflt.sys sciptflt.sys sconnect.sys scred.sys sdactmon\r\nsddrvldr.sys sdvfilter.sys se46filter.sys secdodriver.sys secone_f\r\nsecone_proc10.sys secone_reg10.sys secone_usb.sys secrmm.sys secufile.s\r\nsecure_os.sys secure_os_mf.sys securofsd_x64.sys sefo.sys segf.sys\r\nsegiraflt.sys segmd.sys segmp.sys sentinelmonitor.sys serdr.sys\r\nserfs.sys sfac.sys sfavflt.sys sfdfilter.sys sfpmonit\r\nsgresflt.sys shdlpmedia.sys shdlpsf.sys sheedantivirusfilterdriver.sys sheedself\r\nshldflt.sys si32_file.sys si64_file.sys sieflt.sys simrep.sy\r\nsisipsfilefilter sk.sys skyamdrv.sys skyrgdrv.sys skywpdrv\r\nslb_guard.sys sld.sys smbresilfilter.sys smdrvnt.sys sndacs.sy\r\nsnexequota.sys snilog.sys snimg.sys snscore.sys snsrflt.sy\r\nsodatpfl.sys softfilterxxx.sys soidriver.sys solitkm.sys sonar.sys\r\nsophosdt2.sys sophosed.sys sophosntplwf.sys sophossupport.sys spbbcdrv\r\nspellmon.sys spider3g.sys spiderg3.sys spiminifilter.sys spotlight\r\nsprtdrv.sys sqlsafefilterdriver.sys srminifilterdrv.sys srtsp.sys srtsp64.s\r\nsrtspit.sys ssfmonm.sys ssrfsf.sys ssvhook.sys stcvsm.sy\r\nstegoprotect.sys stest.sys stflt.sys stkrnl64.sys storagedr\r\nstrapvista.sys strapvista64.sys svcbt.sys swcommfltr.sys swfsfltr.s\r\nswfsfltrv2.sys swin.sys symafr.sys symefa.sys symefa64\r\nsymefasi.sys symevent.sys symevent64x86.sys symevnt.sys symevnt3\r\nsymhsm.sys symrg.sys sysdiag.sys sysmon.sys sysmond\r\nsysplant.sys szardrv.sys szdfmdrv.sys szdfmdrv_usb.sys szedrdrv.\r\nszpcmdrv.sys taniumrecorderdrv.sys taobserveflt.sys tbfsfilt.sys tbmninifi\r\ntbrdrv.sys tdevflt.sys tedrdrv.sys tenrsafe2.sys tesmon.s\r\ntesxnginx.sys tesxporter.sys tffregnt.sys tfsflt.sys tgfsmf.sy\r\nthetta.sys thfilter.sys threatstackfim.sys tkdac2k.sys tkdacxp.s\r\ntkdacxp64.sys tkfsavxp.sys tkfsavxp64.sys tkfsft.sys tkfsft64.s\r\ntkpcftcb.sys tkpcftcb64.sys tkpl2k.sys tkpl2k64.sys tksp2k.sy\r\ntkspxp.sys tkspxp64.sys tmactmon.sys tmcomm.sys tmesflt.sy\r\ntmevtmgr.sys tmeyes.sys tmfsdrv2.sys tmkmsnsr.sys tmnciesc\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 14 of 15\n\ntmpreflt.sys tmumh.sys tmums.sys tmusa.sys tmxpflt.s\r\ntopdogfsfilt.sys trace.sys trfsfilter.sys tritiumfltr.sys trpmnflt.\r\ntrufos.sys trustededgeffd.sys tsifilemon.sys tss.sys tstfilter.sy\r\ntstfsredir.sys tstregredir.sys tsyscare.sys tvdriver.sys tvfiltr.sys\r\ntvmfltr.sys tvptfile.sys tvspfltr.sys twbdcfilter.sys txfilefilte\r\ntxregmon.sys uamflt.sys ucafltdriver.sys ufdfilter.sys uncheate\r\nupguardrealtime.sys usbl_ifsfltr.sys usbpdh.sys usbtest.sys uvmcifsf\r\nuwfreg.sys uwfs.sys v3flt2k.sys v3flu2k.sys v3ift2k.s\r\nv3iftmnt.sys v3mifint.sys varpffmon.sys vast.sys vcdriv.sy\r\nvchle.sys vcmfilter.sys vcreg.sys veeamfct.sys vfdrv.sys\r\nvfilefilter.sys vfpd.sys vfsenc.sys vhddelta.sys vhdtrack\r\nvidderfs.sys vintmfs.sys virtfile.sys virtualagent.sys vk_fsf.sy\r\nvlflt.sys vmwvvpfsd.sys vollock.sys vpdrvnt.sys vradfil2.s\r\nvraptdef.sys vraptflt.sys vrarnflt.sys vrbbdflt.sys vrexpdrv\r\nvrfsftm.sys vrfsftmx.sys vrnsfilter.sys vrsdam.sys vrsdcore\r\nvrsdetri.sys vrsdetrix.sys vrsdfmx.sys vrvbrfsfilter.sys vsepflt.sy\r\nvsscanner.sys vtsysflt.sys vxfsrep.sys wats_se.sys wbfilter.s\r\nwcsdriver.sys wdcfilter.sys wdfilter.sys wdocsafe.sys wfp_mrt\r\nwgfile.sys whiteshield.sys windbdrv.sys windd.sys winfladrv\r\nwinflahdrv.sys winfldrv.sys winfpdrv.sys winload.sys winteonm\r\nwiper.sys wlminisecmod.sys wntgpdrv.sys wraekernel.sys wrcore.sy\r\nwrcore.x64.sys wrdwizfileprot.sys wrdwizregprot.sys wrdwizscanner.sys wrdwizse\r\nwrkrn.sys wrpfv.sys wsafefilter.sys wscm.sys xcpl.sys\r\nxendowflt.sys xfsgk.sys xhunter1.sys xhunter64.sys xiaobaifs\r\nxiaobaifsr.sys xkfsfd.sys xoiv8x64.sys xomfcbt8x64.sys yahoosto\r\nyfsd.sys yfsd2.sys yfsdr.sys yfsrd.sys zampit_m\r\nzesfsmf.sys zqfilter.sys zsfprt.sys zwasatom.sys zwpxesv\r\nzxfsfilt.sys zyfm.sys zzpensys.sys    \r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at\r\nhttps://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\r\nPage 15 of 15\n\n. ddl . dlis . eco . ecx . dp1 . . edb . dqy . dsk . dsn epim . exb . fcd . dtsx . dxl . fdb . fic\n. fmp . fmp12 . fmpsl . fol .fp3 . fp4 . fp5 . fp7\n. fpt . frm . gdb . grdb . gwi . hdb . his . ib\n. idb . ihx . itdb . itw . jet . jtx . kdb . kexi\n. kexic . kexis . lgc . lwx . maf . maq . mar . masmav\n. mdb . mpd . mrg . mud . mwb . myd . ndf . nnt\n. nrmlib . ns2 . ns3 . ns4 . nsf . nv . nv2 . nwdb\n. nyf . odb . ogy . orx . owc . p96 . p97 . pan\n. pdb . pdm . pnz . qry . qvd . rbf . rctd . rod\n. rodx . rpd . rsd . sas7bdat . sbf . scx . sdb . sdc\n. sdf . sis . spg . sql . sqlite . sqlite3 . sqlitedb . te\n. temx . tmd . tps . trc . trm . udb . udl . usr\n. v12 . vis . vpd . vvv . wdb . wmdb . wrk . xdb\n. xld . xmlff . abcddb . abs . abx . accdw . and . db2\n. fm5 . hjt . icg . icr . kdb . lut . maw . mdn\n. mdt   \nShared folders targeted for encryption (Example: \\[IP address]Downloads): \nUsers Backup Veeam homes home\nmedia common Storage Server Public Web\nImages Downloads BackupData ActiveBackupForBusiness Backups\nNAS-DC DCBACKUP DirectorFiles share \nFile extensions ignored:   \n.ini .url .msilog .log .ldf .lock .theme .msi\n.sys .wpx .cpl .adv .msc .scr .key .ico\n.dll .hta .deskthemepack .nomedia .msu .rtp .msp .idx\n.ani .386 .diagcfg .bin .mod .ics .com .hlp\n.spl .nls .cab .exe .diagpkg .icl .ocx .rom\n.prf .thempack .msstyles .icns .mpa .drv .cur .diagcab\n.cmd .shs   \nFolders ignored:   \nwindows boot program files (x86) windows.old programdata\nintel bitdefender trend micro windowsapps appdata\napplication data system volume information perflogs msocache \n  Page 8 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"
	],
	"report_names": [
		"the-five-day-job-a-blackbyte-ransomware-intrusion-case-study"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434106,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97b9b73bcd13d967adfe3815b9e57b90d31aa5ec.pdf",
		"text": "https://archive.orkl.eu/97b9b73bcd13d967adfe3815b9e57b90d31aa5ec.txt",
		"img": "https://archive.orkl.eu/97b9b73bcd13d967adfe3815b9e57b90d31aa5ec.jpg"
	}
}