{
	"id": "3155e332-3867-45fe-a954-8414b4102c12",
	"created_at": "2026-04-06T00:18:49.29332Z",
	"updated_at": "2026-04-10T13:11:57.916299Z",
	"deleted_at": null,
	"sha1_hash": "dbd8a7a5927c235587bb794caa3b8804183c6685",
	"title": "BlackSnake Ransomware: Rising from Chaos' Shadow",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1054640,
	"plain_text": "BlackSnake Ransomware: Rising from Chaos' Shadow\r\nBy cybleinc\r\nPublished: 2023-03-09 · Archived: 2026-04-05 22:21:22 UTC\r\nCyble analyzes a new malware strain, BlackSnake Ransomware that is capable of performing clipper operation aimed at\r\ncryptocurrency users.\r\nNew Ransomware Goes Beyond Traditional Tactics with Clipper Integration\r\nRansomware is a significant threat that can encrypt its victims’ files and demand a ransom. Additionally, the Threat Actors\r\n(TAs) responsible for these attacks often use a double extortion technique, where they encrypt the files and exfiltrate\r\nsensitive data from the victim’s device before encryption. These TAs then leverage this stolen data to extort their victims\r\nfurther by threatening to release it on a leaked site unless their demands are met.  \r\nThe TAs are constantly devising new methods to extort money from their victims. In the previous year, Cyble Research and\r\nIntelligence Labs (CRIL) discovered a ransomware variant that not only encrypts victims’ files but also steals their Discord\r\ntokens. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nRecently, CRIL spotted a new strain of malware known as the “BlackSnake” ransomware that is capable of performing\r\nclipper operations aimed at cryptocurrency users. This variant was initially identified by a researcher @siri_urz. It was\r\ndetected in the cybercrime forum in 2022, and the TAs behind it were actively seeking affiliates. \r\nIn addition, the TAs claimed they would take a 15% share of the profits generated through the affiliation process, as shown\r\nin the figure below. \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 1 of 11\n\nFigure 1 –TAs advertisement in Cyber Crime Forum \r\nOur analysis has uncovered evidence suggesting that BlackSnake Ransomware has been created based on the source of\r\nChaos ransomware. In this blog, we delve into the technical aspects of BlackSnake Ransomware, including its clipper\r\noperations. \r\nTechnical Analysis\r\nStatic analysis of the sample with hash: e4c2e0af462ebf12b716b52c681648d465f6245ec0ac12d92d909ca59662477b shows\r\nthat the malicious file is a 32-bit PE binary compiled using .NET, as demonstrated in the following figure: \r\nFigure 2 –File Information \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 2 of 11\n\nUpon execution, the BlackSnake Ransomware performs an initial check to verify if the current input language of the system\r\nmatches the language codes “az-Latn-AZ” or “tr-TR”.  \r\nIf a match is found, the ransomware immediately terminates itself, indicating that the TAs of BlackSnake ransomware intend\r\nto exclude systems located in Azerbaijan or Turkey from being infected, as shown below.   \r\nFigure 3 – Locale Check \r\nAfter confirming the user’s location, the BlackSnake Ransomware creates a registry entry, as shown below.  \r\nHKEY_CCURRENT_USER\\SOFTWARE\\oAnWieozQPsRK7Bj83r4 \r\nThe BlackSnake ransomware has a method of detecting whether it has already infected a system. It does this by checking the\r\nlocation of the executing assembly with the path “C:\\Users[user-name]\\AppData\\Roaming\\svchost.exe”. If this path\r\nmatches, the ransomware continues to search for the file named “UNLOCK_MY_FILES.txt” in the %appdata% directory.\r\nOnce the file is found, the ransomware will terminate itself. This behavior suggests that the ransomware is designed to avoid\r\ninfecting a system more than once, and it may be an attempt to limit the impact of the ransomware.  \r\nThe below figure shows the code snippet used by the malware for validation. \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 3 of 11\n\nFigure 4 – File Path Validation \r\n To prevent multiple instances of the malware from running concurrently, the malware enumerates the names of all currently\r\nrunning processes, retrieves the filename of the current executing assembly, and compares it with the filenames of the\r\nrunning processes. If there is a match, the malware then compares the Process ID of the current process with that of the\r\ntarget process. If there is a difference in the IDs, the malware identifies itself as a duplicate instance and terminates itself to\r\navoid running multiple copies at the same time.  \r\nThe below figure shows the code snippet used by the ransomware for checking the malware instance. \r\nFigure 5 –Check for Duplicate Instances of Malware  \r\nAfter confirming that there is no existing infection of itself, the ransomware creates a copy of itself in the %appdata%\r\ndirectory with the file name “svchost.exe” and executes the newly created process as shown below. \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 4 of 11\n\nFigure 6 – Creates New Process and Executes \r\nThe ransomware now creates a new thread for executing the clipper module, which includes functions such as GetText(),\r\nPatternMatch(), and SetText(). These functions allow the clipper module to perform its intended task of intercepting and\r\nmodifying clipboard data as needed.  \r\nThe below figure shows the clipper module. \r\nFigure 7 – Clipper Module \r\nBy constantly monitoring the user’s clipboard activity, the BlackSnake malware can check whether any cryptocurrency\r\naddresses are present by utilizing a hardcoded regular expression pattern for validation, as shown below. \r\nFigure 8 – regex pattern Match \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 5 of 11\n\nThe BlackSnake clipper module appears to specifically target Bitcoin wallet addresses, as indicated by the pattern used for\r\nidentification.  \r\nWhen a matching wallet address is found in the clipboard data, the malware utilizes the SetText() method to replace it with a\r\nhardcoded Bitcoin wallet address belonging to the attacker, as shown in the figure below. \r\nFigure 9 – Replacing Clipboard value with TA’s wallet address \r\nOnce the clipper module is executed, the BlackSnake ransomware jumps to the encrypting modules. The malware creates a\r\nbelow registry entry that automatically launches whenever the system starts to ensure it remains active and persistent on the\r\ninfected system.  \r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \r\n“C:\\Users\\ [user-name]\\AppData\\Roaming\\svchost.exe” \r\nBefore encrypting files, the ransomware identifies the list of directories to be enumerated and excludes a few folders from its\r\nencryption process. The below figure shows the folders excluded by the ransomware. \r\nFigure 10 – Folder excluded by BlackSnake Ransomware \r\nOnce the relevant directories are identified, the malware enumerates all the files. During this stage, the ransomware checks\r\nthe file path against a pre-defined list of strings, as mentioned in Figure 11. Any file path that matches these strings is then\r\nexcluded from the encryption process.   \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 6 of 11\n\nFigure 11 – Exclusion List \r\nThe ransomware specifically focuses on encrypting files that have the below file extensions. \r\n.txt  .jar  .dat  .contact  .settings  .doc  .docx  .xls \r\n.xlsx  .ppt  .pptx  .odt  .jpg  .mka  .mhtml  .oqy \r\n.png  .csv  .sql  .mdb  .php  .asp  .aspx  .html \r\n.htm  .xml  .psd  .pdf  .xla  .cub  .dae  .indd \r\n.mp3  .mp4  .dwg  .zip  .rar  .mov  .rtf  .bmp \r\n.mkv  .avi  .apk  .lnk  .dib  .dic  .dif  .divx \r\n.iso  .7zip  .ace  .arj  .bz2  .cab  .gzip  .lzh \r\n.tar  .jpeg  .mpeg  .torrent  .mpg  .core  .pdb  .ico \r\n.pas  .wmv  .swf  .cer  .bak  .backup  .accdb  .bay \r\n.p7c  .exif  .vss  .raw  .m4a  .wma  .flv  .sie \r\n.sum  .ibank  .wallet  .css  .crt  .xlsm  .xlsb  .cpp \r\n.java  .jpe  .ini  .blob  .wps  .docm  .wav  .3gp \r\n.webm  .m4v  .amv  .m4p  .svg  .ods  .vdi  .vmdk \r\n.onepkg  .accde  .jsp  .json  .gif  .log  .config  .m1v \r\n.sln  .pst  .obj  .xlam  .djvu  .inc  .cvs  .dbf \r\n.tbi  .wpd  .dot  .dotx  .xltx  .pptm  .potx  .potm \r\n.pot  .xlw  .xps  .xsd  .xsf  .xsl  .kmz  .accdr \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 7 of 11\n\n.stm  .accdt  .ppam  .pps  .ppsm  .1cd  .3ds  .3fr \r\n.3g2  .accda  .accdc  .accdw  .adp  .ai3  .ai4  .ai5 \r\n.ai6  .ai7  .ai8  .arw  .ascx  .asm  .asmx  .avs \r\n.bin  .cfm  .dbx  .dcm  .dcr  .pict  .rgbe  .dwt \r\n.f4v  .exr  .kwm  .max  .mda  .mde  .mdf  .mdw \r\n.mht  .mpv  .msg  .myi  .nef  .odc  .geo  .swift \r\n.odm  .odp  .oft  .orf  .pfx  .p12  .pls  .safe \r\n.tab  .vbs  .xlk  .xlm  .xlt  .xltm  .svgz  .slk \r\n.tar.gz  .dmg  .psb  .tif  .rss  .key  .vob  .epsp \r\n.dc3  .iff  .onepkg  .onetoc2  .opt  .p7b  .pam  .r3d \r\n.pse  .webp             \r\nThe BlackSnake ransomware encryption process consists of several stages. In the first step, the malware employs a\r\nstring_Builder() function to generate a 40-byte random string. Next, it retrieves a pre-defined RSA public key that is hard-coded within the malware file. This key encrypts the previously generated random string, producing a key suitable for AES\r\nencryption. \r\nFigure 12 – parameters passed to the encryption function\r\nOnce the malware gets the key, it encrypts all the identified files from the directory using the AES algorithm and appends\r\nthe generated key (base64 encoded) to the end of the encrypted file.  \r\nThe below figure shows the key appended to the encrypted file. \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 8 of 11\n\nFigure 13 – RSA Encrypted Key \r\nOn successful encryption, it appends the “pay2unlock” extension to the encrypted files and drops a ransom note in that\r\nfolder. \r\nFigure 14 – Encrypted files \r\nFinally, the victims are presented with a ransom note, “UNLOCK_MYFiles.txt” that directs them to contact the attackers via\r\ntheir TOX_ID if they wish to recover their encrypted files, as shown below. \r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 9 of 11\n\nFigure 15 – Ransom note \r\nConclusion\r\nIt is convenient and straightforward for TAs to use pre-existing ransomware codes as a basis for developing new\r\nransomware families. Onyx and Yashma ransomware families were already linked to the Chaos ransomware family, and the\r\nBlackSnake ransomware is another family now associated with Chaos ransomware. The Threat Actor has tweaked the Chaos\r\nransomware source code and added a clipper module directly into the file, which is different from the usual approach of\r\nhaving a separate file for the clipper. \r\nCyble Research \u0026 Intelligence Labs continuously monitors all ransomware campaigns and will keep updating our readers\r\nwith the latest information as and when we find it. \r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nBack up data on different locations and implement Business Continuity Planning (BCP). Keep the Backup Servers\r\nisolated from the infrastructure, which helps fast data recovery. \r\nFrequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and\r\nsoftware. \r\nEnforcement of VPN to safeguard endpoints. \r\nConduct frequent training on security awareness for the company’s employees to inform them about emerging\r\nthreats. \r\nImplementation of technology to understand the behavior of the ransomware-malware families and variants to block\r\nmalicious payloads and counter potential attacks.\r\nThe users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there\r\nis no change when copying and pasting the actual wallet addresses.\r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 10 of 11\n\nThe seeds for wallets should be stored safely and encrypted on any devices. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic   Technique ID   Technique Name  \r\nExecution  T1204    User Execution    \r\nImpact \r\nT1486  \r\nT1490     \r\nData encrypted for impact \r\nInhibit System Recovery   \r\nDiscovery \r\nT1082  \r\nT1083  \r\nT1057     \r\nSystem Information\r\nDiscovery File and Directory Discovery    \r\nProcess Discovery \r\nDefense Evasion \r\nT1140   \r\n   \r\nDeobfuscate/Decode Files or Information \r\nPersistence   T1547   \r\nRegistry Run Keys / Startup Folder  \r\n \r\nIndicators of Compromise (IOCs) \r\nIndicators  \r\nIndicator\r\n  \r\nType  \r\nDescription  \r\ne4c2e0af462ebf12b716b52c681648d465f6245ec0ac12d92d909ca59662477b  Sha256  BlackSnake Ransomware \r\nafa9d7c88c28e9b8cca140413cfb32e4  MD5  BlackSnake Ransomware \r\n6936af81c974d6c9e2e6eaedd4026a37135369bc  SHA-1  BlackSnake Ransomware \r\nSource: https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nhttps://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/"
	],
	"report_names": [
		"blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow"
	],
	"threat_actors": [],
	"ts_created_at": 1775434729,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dbd8a7a5927c235587bb794caa3b8804183c6685.pdf",
		"text": "https://archive.orkl.eu/dbd8a7a5927c235587bb794caa3b8804183c6685.txt",
		"img": "https://archive.orkl.eu/dbd8a7a5927c235587bb794caa3b8804183c6685.jpg"
	}
}