BlackByte Ransomware - Wilder And Scarier Than Ever

Posted by Dennis, 27-04-2022

Researchers from Palo Alto Networks' Unit 42 have published an assessment report regarding BlackByte ransomware. The report includes details regarding the newly discovered samples of the ransomware.

The report findings

Researchers have recently observed multiple variants of BlackByte ransomware in the wild. These variants are written in Go and DotNET, and one variant was found written with a mix of Go and C languages.
  • The ransomware payloads are packed using UPX and possess worm capabilities. 
  • The samples have icons attached to them displaying an image of the grim reaper. Some newer versions updated their .exe icons with the grim reaper, along with BB (BlackByte) icon.
  • The ransomware actors were observed making changes to the registry in an attempt to escalate privileges.

Access and persistence tactics

  • For initial access, the attackers are exploring a known Microsoft Exchange Server vulnerability (ProxyShell vulnerabilities - CVE-2021-34523CVE-2021-34473CVE-2021-31207).
  • For persistence, the attackers are delivering a malicious web shell for remote code execution. Further, the ransomware excludes key system and apps folders, along with key components.
Earlier, researchers developed a decryptor for BlackByte that was published on GitHub. However, the attackers have developed a new version and warned against using a public decryptor.

Who are the targets?

  • The ransomware group compromised multiple U.S. and global organizations in the agriculture, energy, public, and financial services sectors. 
  • While most of the victims are primarily located in the U.S, the group has targeted organizations in Canada, South America, Europe, Australia, Asia, and Africa.


The report claims that BlackByte attackers are expected to continue their attacks to extort organizations. Therefore, organizations are suggested to stay protected by deploying robust anti-ransomware solutions, including reliable backups of important data, latest patches for systems and networks, and proper access control to protect sensitive data.