{
	"id": "b6575cd5-99ef-457f-a984-4788d1fc6d74",
	"created_at": "2026-04-06T01:31:02.050779Z",
	"updated_at": "2026-04-10T13:11:30.98601Z",
	"deleted_at": null,
	"sha1_hash": "c51d9b203f6fbb7afee56853b956dd6ce1817a94",
	"title": "Ransomware Spotlight: BlackByte | Trend Micro (GB)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 850867,
	"plain_text": "Ransomware Spotlight: BlackByte | Trend Micro (GB)\r\nArchived: 2026-04-06 01:04:34 UTC\r\nX\r\nTop affected industries and countries\r\nThe data used in this section represent the count of unique machines where BlackByte-related activity had been detected.\r\nBased on our telemetry data, BlackByte showed a fairly consistent level of activity from October 2021 to March 2022.\r\nHowever, May 2022 detections showed a drastic uptick in number.\r\nopen on a new tab\r\nFigure 1. BlackByte monthly unique detections  (October 1, 2021 to May 31, 2022)\r\nSource: Trend Micro™ Smart Protection Network™\r\nBased on our telemetry data from April 30, 2021 to May 31, 2022, we detected BlackByte activity all over the globe.\r\nHowever, after the spike in activity in May, Peru outstripped other countries in detection. This is consistent with the reported\r\nescalation of ransomware attacksopen on a new tab in Latin America, where BlackByte was also reportedly among those\r\nthat targeted the region.  \r\nopen on a new tab\r\nFigure 2. Countries with the highest number of attack attempts for the BlackByte ransomware (April 30, 2021 to May 30,\r\n2022)\r\nSource: Trend Micro Smart Protection Network\r\nUp to the end of April 2022, the technology sector saw the most BlackByte detections, however, in May, detections in the\r\ngovernment sector also shot up.\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 1 of 9\n\nopen on a new tab\r\nFigure 3. Countries with the highest number of attack attempts for the BlackByte ransomware (April 30, 2021 to May 30,\r\n2022)\r\nSource: Trend Micro Smart Protection Network\r\nOne way to interpret these observations is that the drastic increase stemmed from a single attack that affected several\r\nmachines. Aside from the reports on ransomware groups targeting Latin America, this explanation is also based on the report\r\nthat, by their own claim, BlackByte operators had compromised a Peruvian government entity around the time of the\r\nincreased activity.\r\nTargeted regions and sectors according to BlackByte leaksite\r\nIn addition to these detections, we delved into BlackByte’s leak site to see the number of attacks recorded there. We looked\r\nat data from August 1, 2021 to May 31, 2022. Based on what we found in the site, BlackByte’s victims were composed\r\nmostly of small size businesses. The activity peaked in November 2021.\r\nOverall, the leak site has yet to reflect the focused attack on Latin American governments. The distribution of their attacks\r\nper region showed, instead, a proclivity for targeting entities based in North America and Europe. \r\nopen on a new tab\r\nFigure 4. Regional distribution of BlackByte victims according to the group’s leak site (August 1, 2021 to May 31, 2022)\r\nBased on the leak site data alone, BlackByte operators and their affiliates have yet to show a marked interest in any one\r\nsector. We found a relatively even distribution of attacks across industries, which included the following:\r\nConstruction\r\nMaterials\r\nHealthcare\r\nRetail\r\nTransportation\r\nEnergy \u0026 Utilities\r\nManufacturing\r\nProfessional services\r\nAutomobile\r\nCommunity\r\nFoods \u0026 Staples\r\nReal Estate\r\nGovernment\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 2 of 9\n\nIT\r\nLegal services\r\nMedia and entertainment\r\nComparing the leak site data of BlackByte to other ransomware families, shows that from January 1, 2022 to May 31, 2022,\r\nBlackByte was among the 10 ransomware groups with the greatest number of self-reported victims.\r\nopen on a new tab\r\nFigure 5. Top ransomware groups with the greatest number of listed victims in their respective leak sites (January 1, 2022 to\r\nMay 31, 2022)\r\nThe data seems to show that BlackByte's operation is beginning to build a name for itself in the threat landscape while still\r\nbuilding momentum. The following section shows how it works and how it conducts its attacks.\r\nInfection chain and techniques\r\nGiven that BlackByte operates on the RaaS model, its infection chain can vary depending on the target. \r\nopen on a new tab\r\nFigure 6. BlackByte infection chain\r\nInitial Access\r\nBlackByte can arrive in a system by exploiting the ProxyShell vulnerabilities. Exploiting the vulnerable server allows\r\nthe attacker to create a web shell to the system which is then used to download and drop Cobeacon using Certutil.\r\nAfter the initial access into the system, the attackers use Certutil to download and execute the components that it\r\nneeds to propagate in the network.\r\nAfter the deployment of Cobeacon, it is then used to execute BlackByte ransomware.\r\nDiscovery and Lateral Movement\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 3 of 9\n\nBased on our data, the actors used NetScan as a network discovery tool that allows the attackers to get a good view of\r\nthe victim’s network environment.\r\nAfter network reconnaissance, the attackers deploy AnyDesk in the system for an additional level of control over the\r\nsystem. The attackers repeat this process of discovery and deployment of Cobeacon and AnyDesk until it achieves its\r\ngoals.\r\nDuring the execution of BlackByte, it terminates certain processes and services related to security application to\r\nevade detection.\r\nExfiltration\r\nOnce the attackers have sufficiently infiltrated into the victim’s network and identified valuable files, it exfiltrates\r\nthem using WinRar to archive the files and upload them into file sharing sites such as anonymfiles[.]com and\r\nfile[.]io.\r\nImpact\r\nOnce the ransomware is executed, it terminates certain services and processes related to security application to evade\r\ndetections. It also connects to its C\u0026C server where it looks for a certain PNG file that contains information critical\r\nto encryption and is used to derive the AES128 key. This key is then protected using an embedded RSA key which\r\nwill then become undecryptable without the private key. The ransomware then deletes shadow copies in the system\r\nusing vssadmin.\r\nopen on a new tab\r\nFigure 7. Sample ransom note\r\nOther technical details\r\nIt avoids encrypting the following files with strings in their file name:\r\nobamka.js\r\nthumbs.db\r\nntdetect.com\r\nntuser.dat.log\r\nbootnxt\r\nbootsect.bak\r\nntldr\r\nautoexec.bat\r\nRecycle.Bin\r\niconcache.db\r\nbootmgr\r\nbootfont.bin\r\nIt avoids encrypting files with the following extensions:\r\nmsilog\r\nlog\r\nldf\r\nlock\r\ntheme\r\nmsi\r\nsys\r\nwpx\r\ncpl\r\nadv\r\nmsc\r\nscr\r\nkey\r\nico\r\ndll\r\nhta\r\ndeskthemepack\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 4 of 9\n\nnomedia\r\nmsu\r\nrtp\r\nmsp\r\nidx\r\nani\r\n386\r\ndiagcfg\r\nbin\r\nmod\r\nics\r\ncom\r\nhlp\r\nspl\r\nnls\r\ncab\r\nexe\r\ndiagpkg\r\nicl\r\nocx\r\nrom\r\nprf\r\nthemepack\r\nmsstyles\r\nicns\r\nmpa\r\ndrv\r\ncur\r\ndiagcab\r\ncmd\r\nshs\r\nIt terminates the following services:\r\nSQLTELEMETRY\r\nSQLTELEMETRY$ECWDB2\r\nSQLWriter\r\nSstpSvc\r\nMBAMService\r\nwuauserv\r\nIt terminates the following processes if found in the affected system’s memory:\r\nagntsvc\r\nCNTAoSMgr\r\ndbeng50\r\ndbsnmp\r\nencsvc\r\nexcel\r\nfirefox\r\nfirefoxconfig\r\ninfopath\r\nisqlplussvc\r\nmbamtray\r\nmsaccess\r\nmsftesql\r\nmspub\r\nmydesktopqos\r\nmydesktopservice\r\nmysqld\r\nmysqld-nt\r\nmysqld-opt\r\nNtrtscan\r\nocautoupds\r\nocomm\r\nocssd\r\nonenote\r\noracle\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 5 of 9\n\noutlook\r\nPccNTMon\r\npowerpnt\r\nsqbcoreservice\r\nsql\r\nsqlagent\r\nsqlbrowser\r\nsqlservr\r\nsqlwriter\r\nsteam\r\nsynctime\r\ntbirdconfig\r\nthebat\r\nthebat64\r\nthunderbird\r\ntmlisten\r\nvisio\r\nwinword\r\nwordpad\r\nxfssvccon\r\nzoolz\r\nanydesk\r\nchrome\r\nopera\r\nmsedge\r\nfirefox\r\niexplore\r\nexplorer\r\nwinlogon\r\nSearchIndexer\r\nwininit\r\nSearchApp\r\nSearchUI\r\nPowershel\r\nMITRE tactics and techniques\r\nInitial\r\nAccess\r\nPersistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery Latera\r\nT1190 -\r\nExploit\r\nPublic-Facing\r\nApplication\r\nIt has been\r\nobserved to\r\nbe using\r\nthe\r\nProxyShell\r\nexploit to\r\ndeliver\r\nChina\r\nChopper\r\nweb shell\r\nas its initial\r\narrival.\r\nT1053.005\r\n- Scheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nIt creates a\r\nscheduled\r\ntask to\r\nexecute its\r\njava script\r\nto proceed\r\nwith its\r\nroutine on\r\nbootup. \r\nTask Name:\r\nJoke\r\nTrigger:\r\nOnce, at\r\n00:00\r\nAction:\r\nwscript.exe\r\nT1134 -\r\n Access\r\nToken\r\nManipulation\r\nThis\r\nransomware\r\nmodifies the\r\nregistry to\r\nelevate local\r\nprivilege and\r\nenable linked\r\nconnections.\r\nT1140 - Deobfuscate/Decode Files or Information\r\nIt initially arrives as an obfuscated Java Script file which will be decoded\r\nupon execution.\r\nT1222 - File and Directory Permissions ModificationIt uses mountvol.exe\r\nto mount volume names and icacls.exe to modify the access on the volume\r\nto \"Everyone.\"\r\nC:\\Windows\\System32\\icacls.exe\" \"C:*\" /grant Everyone:F /T /C /Q \r\nIt also controlled folder access using PowerShell:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Set-MpPreference -EnableControlledFolderAccess Disabled \r\nIt also modifies firewall settings to enable linked connections:\r\n\"C:\\Windows\\System32\\netsh.exe\" advfirewall firewall set rule\r\ngroup=\"Network Discovery\" new\r\nenable=Yes \"C:\\Windows\\System32\\netsh.exe\" advfirewall firewall set rule\r\ngroup=\"File and Printer Sharing\" new enable=Yes \r\nT1562.001 - Impair Defenses: Disable or Modify Tools\r\nIt disables Raccine, which is an anti-ransomware utility, using these\r\ncommands:\r\nT1083 -\r\nFile and\r\nDirectory\r\nDiscovery\r\nThis\r\nransomware\r\ndiscovers\r\nfiles and\r\ndirectories\r\nby first\r\nenumerating\r\nthe logical\r\ndrives. Once\r\nenumerated,\r\nit then\r\nchanges the\r\naccess\r\ncontrol of\r\nfiles and\r\ndirectories\r\nso that it\r\ncan have\r\nfull access\r\nT1570\r\nTransfe\r\nIt check\r\npresent\r\nC:\\Use\r\n(infectio\r\nsystem)\r\nIt doesn\r\npropag\r\nIt check\r\nif either\r\nfolders\r\n\\C$\\Use\r\n\\Users\\\r\nIt then c\r\nmarker\r\nwhich a\r\n\\Users\\\r\n\\C$\\Use\r\nIt then c\r\nfile in t\r\nshare a\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 6 of 9\n\nInitial\r\nAccess\r\nPersistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery Latera\r\ntaskill.exe /F /IM Raccine.exe\r\ntaskill.exe /F /IM RaccineSettings.exe\r\nschtasks.exe /DELETE /TN \\\"Raccine Rules Updater\\\" /F\r\nDeletes raccine autostart:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nName = “Raccine Tray”\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\Raccine\r\nover them.\r\nIt will then\r\ngo through\r\nthe\r\ndirectories\r\nand traverse\r\nit for target\r\nfiles to\r\nencrypt.\r\nT1069.002 -\r\nPermission\r\nGroups\r\nDiscovery:\r\nDomain\r\nGroups\r\nIt uses the\r\nRootDSE\r\nentry from\r\nthe active\r\ndirectory to\r\nget a listing\r\nof the\r\nhostname\r\nunder that\r\ndomain in\r\npreparation\r\nfor its\r\npropagation\r\nin the\r\nnetwork. It\r\nenumerates\r\n1000\r\nhostname in\r\nthe domain.\r\nRemote\r\nSystem\r\nDiscovery\r\nAfter getting\r\nthe\r\nhostname of\r\nthe remote\r\nsystems, it\r\nattempts to\r\nping the\r\nsystems to\r\nsee if it is\r\nalive and\r\naccessible.\r\nThen it\r\nproceeds\r\nwith the\r\ntransfer to\r\nthe public\r\nshare folder.\r\nthrough\r\nwhich w\r\nstart of\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch for the presence of the following malware tools and exploits that are typically used in BlackByte\r\nattacks:\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 7 of 9\n\nInitial Access Execution Discovery\r\nLateral\r\nMovement\r\nCollection Exfiltration\r\nProxyShell Certutil NetScan AnyDesk WinRAR\r\nExfiltrates to the\r\nfollowing C\u0026C\r\nanonymfiles[.]com\r\nfile[.]io\r\nChina\r\nChopper\r\nweb shell\r\nCobeacon Cobeacon\r\nRecommendations\r\nOrganizations face both established ransomware families as well as newer variants that are just entering the fray. Like many\r\nnewer ransomware families, BlackByte is readying itself to take the spot of any big-game ransomware operation in decline.\r\nHowever, underneath it all could be a more intricate scheme of threat groups dispersing under new monikers. \r\nAs with the case of BlackByte, knowing its notable tactics, while also staying knowledgeable of bigger trends can help\r\norganizations create an effective strategy for ransomware attacks. In the case of BlackByte, prevention is key by keeping\r\nemployees wary of phishing tactics and keeping up with security patches such as those for ProxyShell vulnerabilities.\r\nTo help defend systems against similar threats, organizations can establish security frameworks that can allocate resources\r\nsystematically for establishing solid defenses against ransomware.\r\nHere are some best practices that can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data\r\nIdentify authorized and unauthorized devices and software\r\nMake an audit of event and incident logs\r\nConfigure and monitor\r\nManage hardware and software configurations\r\nGrant admin privileges and access only when necessary to an employee’s role\r\nMonitor network ports, protocols, and services\r\nActivate security configurations on network infrastructure devices such as firewalls and routers\r\nEstablish a software allowlist that only executes legitimate applications\r\nPatch and update\r\nConduct regular vulnerability assessments\r\nPerform patching or virtual patching for operating systems and applications\r\nUpdate software and applications to their latest versions\r\nProtect and recover\r\nImplement data protection, back up, and recovery measures\r\nEnable multifactor authentication (MFA)\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork\r\nDetect early signs of an attack such as the presence of suspicious tools in the system\r\nUse advanced detection technologies such as those powered by AI and machine learning\r\nTrain and test\r\nRegularly train and assess employees' security skills\r\nConduct red-team exercises and penetration tests\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 8 of 9\n\nA multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before the ransomware can do irreversible damage to the system.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning. \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise (IOCs)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nhttps://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte"
	],
	"report_names": [
		"ransomware-spotlight-blackbyte"
	],
	"threat_actors": [
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c51d9b203f6fbb7afee56853b956dd6ce1817a94.pdf",
		"text": "https://archive.orkl.eu/c51d9b203f6fbb7afee56853b956dd6ce1817a94.txt",
		"img": "https://archive.orkl.eu/c51d9b203f6fbb7afee56853b956dd6ce1817a94.jpg"
	}
}