{ "id": "154bb318-6cf3-4306-bc1e-29409abdc051", "created_at": "2026-04-06T01:31:58.550401Z", "updated_at": "2026-04-10T03:32:24.834295Z", "deleted_at": null, "sha1_hash": "b99703c5f0ed833ee38dc6f67ff64bcc40921275", "title": "The BlackByte ransomware group is striking users all over the globe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1209948, "plain_text": "The BlackByte ransomware group is striking users all over the\r\nglobe\r\nBy Holger Unterbrink\r\nPublished: 2022-05-18 · Archived: 2026-04-06 00:14:44 UTC\r\nWednesday, May 18, 2022 02:00\r\nNews summary\r\nCisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims\r\nall over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.\r\nThe FBI released a joint cybersecurity advisory in February 2022 warning about this group, stating that the\r\ngroup has targeted at least three critical infrastructure sectors in the U.S.\r\nTalos has monitored ongoing BlackByte attacks dating back to March.\r\nBlackByte updated its leak site with a new design and new victims and is still actively exploiting victims\r\nworldwide.\r\nExecutive overview\r\nThe BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to\r\nother criminals. The ransomware group and its affiliates have infected victims all over the world, from North\r\nAmerica to Colombia, the Netherlands, China, Mexico and Vietnam. Talos has been monitoring BlackByte for\r\nseveral months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in\r\nFebruary 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are\r\ntargeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like\r\nsimilar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently\r\nmoved. Below, you can see a screenshot of the site. We have anonymized the screenshot to protect victims'\r\nprivacy.\r\nhttps://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nPage 1 of 6\n\nThe attack usually starts with a network entry point, either a previously compromised host or a software\r\nvulnerability which is exploitable from the network. The former compromised host elevates local and domain\r\naccount privileges and moves laterally by using standard penetration testing and legit administrator tools\r\n(LoLBins). In most incidents, they like to use the AnyDesk remote management software to control victim\r\nmachines.\r\nTechnical details\r\nThe BlackByte gang often uses phishing and/or vulnerable unpatched applications or services like vulnerable\r\nversions of SonicWall VPN or the ProxyShell vulnerability in Microsoft Exchange servers to gain access to the\r\nvictim's network. These are usually known public vulnerabilities that the targets haven't patched in a timely\r\nmanner. Due to a lack of logs, we could not confirm the initial infection vector in the case below, but we have\r\nindicators that a vulnerable Microsoft Exchange Server was compromised, which matches the previously\r\ndescribed behavior of the BlackByte actor.\r\nA typical timeline of infection looks similar to the anonymized log below, which we saw in our telemetry in\r\nMarch.\r\nhttps://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nPage 2 of 6\n\nThe logs above show the adversaries are installing the AnyDesk remote management software, as we've seen in\r\nCisco Talos Incident Response engagements. BlackByte seems to have a preference for this tool and often uses\r\ntypical living-off-the-land binaries (LoLBins), besides other publicly available commercial and non-commercial\r\nsoftware like 'netscanold' or 'psexec'. These tools are also often used by Administrators for legitimate tasks, so it\r\ncan be difficult to detect them as a malicious threat. It seems to be that executing the actual ransomware is the last\r\nhttps://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nPage 3 of 6\n\nstep once they are done with lateral movement and make themselves persistent in the network by adding\r\nadditional admin accounts.\r\nUnfortunately, we could not obtain the RANDOMNAME_n.EXE files, which are likely stages of the ransomware\r\ninfection. We also tried to get them via the telemetry of our partners, but the hash was unknown to them, too. This\r\npoints to the same trend that many big game ransomware groups moved to the tactic of using unique obfuscated\r\nfiles for every victim. The chat with a criminal from the ransomware group Hive we've transcribed below provides\r\nan idea of how these conversations go. We are releasing more details about conversations with ransomware actors\r\nin a future post.\r\nVictim: \"How many files are stolen? and can you share some file names?\"\r\nHive: \"Hello\"\r\nVictim: \"maybe no ones here\"\r\nHive: \"To decrypt your files you have to pay $20,000,000 in Bitcoin.\"\r\nVictim: \"that's way too much, can you please discount and please share the hash of the ransomware file\r\nso we can at least black list it. You have already stolen everything anyway\"\r\nHive: \"We don't provide any hashes. Every time the software is unique. There is no need of hashes\r\nhere. It will not help anyway.\"\r\nHive: \"If you want a discount I would like to see for how much\"\r\nAssuming that RANDOMNAME.EXE -a \u003cSUSPICIOUS NUMBER\u003e is the start of the ransomware infection\r\nprocess, they have slightly changed their behavior or are just using a different packer. The FBI document states\r\n\"complex.exe -single \u003cSHA256\u003e\" launches the infection process. In our case, the parameters are different — the\r\nfirst one is a '-a' and the following is not a SHA256 hash, it is an eight-digit number, like '42269874' (not the real\r\nnumber, but similar to keeping the privacy of the victim). This seems to be a victim ID or an offset for the\r\nunpacking process. The actual behavior of RANDOMNAME.EXE seems to be very similar to the complexe.exe\r\none described in the FBI report. It also disables Windows Defender. The base64-obfuscated string\r\n'VwBpAG4ARABlAGYAZQBuAGQA' decodes to 'WinDefend', which is the Windows Defender service. It then\r\ntries to disable Florian Roth's Raccine ransomware protection tool and a few other commands mentioned in the\r\nFBI document.\r\nFinally, approximately 17 hours after the ransomware infection process started, the machine reboots and the\r\nransomware note \"BlackByteRestore.txt\" is shown to the user via Notepad.\r\nConclusion\r\nTalos research and other public reports about BlackByte are mainly pointing to vulnerable, outdated systems as\r\nthe initial infection vector. This threat shows how important it is to have a proper update strategy in place. If your\r\norganization is running a Microsoft Exchange Server or any other internet-facing system, make sure it always has\r\nhttps://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nPage 4 of 6\n\nthe latest patch in place. The time window between the announcement of a new security vulnerability and its\r\nweaponization and use by criminals is getting smaller every year.\r\nIt's more important now than ever to have a multi-layered security architecture to detect these types of attacks. The\r\nadversary is likely to manage to bypass one of the other cybersecurity measures, but it is much harder for them to\r\nbypass all of them. These campaigns and the refinement of the TTPs used will likely continue for the foreseeable\r\nfuture.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nhttps://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nPage 5 of 6\n\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nTo protect the privacy of the victim we can only release the anonymized logs above, but we hope this helps SOC\r\nand security staff to build their own custom rules to protect their assets.\r\nTypical log data in text format.\r\nSource: https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nhttps://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html\r\nPage 6 of 6\n\n https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html \nThe logs above show the adversaries are installing the AnyDesk remote management software, as we've seen in\nCisco Talos Incident Response engagements. BlackByte seems to have a preference for this tool and often uses \ntypical living-off-the-land binaries (LoLBins), besides other publicly available commercial and non-commercial \nsoftware like 'netscanold' or 'psexec'. These tools are also often used by Administrators for legitimate tasks, so it\ncan be difficult to detect them as a malicious threat. It seems to be that executing the actual ransomware is the last\n Page 3 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html" ], "report_names": [ "the-blackbyte-ransomware-group-is.html" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439118, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b99703c5f0ed833ee38dc6f67ff64bcc40921275.pdf", "text": "https://archive.orkl.eu/b99703c5f0ed833ee38dc6f67ff64bcc40921275.txt", "img": "https://archive.orkl.eu/b99703c5f0ed833ee38dc6f67ff64bcc40921275.jpg" } }