BlackByte Ransomware: A Persistent Double Extortion Threat
- Suspected Origin
- Russia
- Motivation
- Financial Gain
- Aliases
- Hecamede
- Target Sectors
- Critical Infrastructure, Government Facilities, Financial, Food and Agriculture, Energy, Technology, Healthcare, Manufacturing, Education, Small Businesses
- Associated Malware
- BlackByte Ransomware, BlackByte 2.0 Ransomware, BlackByte 3.0 (BlackByteNT), ExByte, Cobalt Strike, AnyDesk, AdFind, Arp, Mimikatz, PsExec, NetScan, PowerView
Overview
BlackByte (G1043), also known by the alias Hecamede, is a financially motivated ransomware-as-a-service (RaaS) group that burst onto the cybercrime scene in July 2021. Since its emergence, BlackByte has rapidly established itself as a significant threat, primarily through a double extortion model. This involves not only encrypting a victim’s files but also exfiltrating sensitive data and threatening to publish it on a dedicated Tor-based leak site if ransom demands are not met.
The group gained early notoriety, drawing the attention of both the U.S. Federal Bureau of Investigation (FBI) and the U.S. Secret Service, who issued a joint advisory in late 2021 and early 2022 to warn of BlackByte’s escalating activities. BlackByte has a broad global reach, with documented attacks impacting organizations across North America, Europe, Latin America (notably Peru), Australia, Africa, and Asia. Their targeting is extensive, encompassing critical infrastructure sectors such as government facilities, financial services, food and agriculture, and energy, alongside other industries including technology, healthcare, manufacturing, and education. While small businesses have also been observed as targets, BlackByte often focuses on larger entities holding critical data for maximum financial gain.
BlackByte is widely believed to be an offshoot or rebranding of the now-defunct Conti ransomware group. A key indicator of their likely Russian origin is the presence of checks within their malware for Russian and former Soviet republics’ language settings, which, if detected, cause the ransomware to terminate its operations.
Tactics & Techniques
BlackByte employs a sophisticated array of tactics, techniques, and procedures (TTPs) that continuously evolve to evade detection and maximize impact.
For Initial Access (TA0001), a primary method involves exploiting unpatched Microsoft Exchange Server vulnerabilities, specifically the ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerability sets. They also leverage other unpatched software, including vulnerable SonicWall VPN applications, and engage in phishing campaigns. More recently, BlackByte has demonstrated rapid adaptation, incorporating newly disclosed vulnerabilities like CVE-2024-37085, affecting VMware ESXi hypervisors, into their attack chains within days of public disclosure. Initial access can also be achieved through brute-force attacks on VPN interfaces using valid credentials.
Once inside, Execution (TA0002) often relies on PowerShell and Windows Command Shell (cmd.exe) to run malicious commands and scripts. They deploy web shells (.aspx) for remote code execution, which also serves as a Persistence (TA0003) mechanism. Other persistence methods include creating Registry Run keys and installing legitimate remote access tools like AnyDesk as a service. BlackByte also utilizes scheduled tasks to launch their executables and print ransom notes across the network.
For Privilege Escalation (TA0004), BlackByte modifies registry settings and exploits vulnerable drivers, such as RTCore64.sys (CVE-2019-16098), to gain higher system privileges. They have also been observed creating privileged domain accounts.
Defense Evasion (TA0005) is a critical component of their operations. The ransomware often uses obfuscation techniques like UPX packing to hinder analysis. BlackByte employs process hollowing, injecting their ransomware into legitimate processes like svchost.exe, and often deletes its own executable after encryption to remove forensic evidence. They are known to disable or modify security tools, including stopping Windows Defender and removing anti-ransomware utilities like Raccine. Further evasion tactics include modifying Windows Firewall rules, disabling various Windows services, terminating processes that might interfere with encryption, and deleting Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. A distinctive evasion technique is checking for specific language settings (e.g., Russian or former Soviet republics’ languages); if detected, the malware terminates to avoid infecting systems in these regions. BlackByte aggressively modifies or deletes volume shadow copies to prevent system recovery.
Credential Access (TA0006) is achieved through tools like Mimikatz for dumping credentials, and they may capture or impersonate domain administration users to expand their control.
For Discovery (TA0007), BlackByte uses legitimate tools such as AdFind for enumerating domain accounts and Active Directory information, Arp for identifying connected hosts, NetScan for enumerating network services, and PowerView for broader network reconnaissance. They also enumerate network shares to identify potential targets for lateral movement.
Lateral Movement (TA0008) is facilitated through stolen credentials, abuse of legitimate remote access tools like AnyDesk, and the use of PsExec for remote payload execution. They leverage standard network protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). Earlier versions of BlackByte ransomware also exhibited worm-like capabilities, spreading laterally by writing JavaScript launcher files to mapped shared folders.
Collection (TA0009) and Exfiltration (TA0010) of data are crucial for their double extortion model. They employ a custom GoLang-based tool called ExByte (Infostealer.Exbyte) for automated file collection, prioritizing critical data, and uploading it to external servers like Mega.co.nz. Other exfiltration services used include anonymfiles.com and file.io. Data is typically compressed before exfiltration and transmitted via HTTP POST requests to their command and control (C2) infrastructure.
Finally, for Impact (TA0040), BlackByte encrypts files using strong cryptographic algorithms. Initial variants used a symmetric AES key, which allowed security researchers to develop a universal decryptor. In response, newer versions, particularly BlackByte 2.0, adopted more robust encryption mechanisms, including unique keys per victim and RSA-1024 for key encryption, making decryption without the attacker’s key significantly harder. Ransom notes instruct victims to visit their .onion leak site, where BlackByte 2.0 introduced a tiered extortion model allowing victims to pay to download their data, extend its publication, or have it completely erased.
Notable Campaigns
BlackByte has been linked to several high-profile incidents and campaigns:
- Iowa Grain Cooperative Attack (October 2021): This incident significantly increased public and industry awareness of BlackByte, highlighting their growing capabilities.
- Critical Infrastructure Targeting (November 2021 onwards): BlackByte explicitly targeted U.S. critical infrastructure sectors, including government facilities, financial institutions, and the food and agriculture industries, as noted by joint advisories from the FBI and Secret Service.
- San Francisco 49ers Incident: One of the most publicized BlackByte attacks involved the network of the NFL’s San Francisco 49ers, where approximately 300MB of data was reportedly exfiltrated, though not customer data.
- May 2022 Activity Spike: Telemetry data from mid-2022 showed a drastic uptick in BlackByte detections, particularly in Peru, with increased targeting of government and technology sectors.
- “Biggest Leaks of Corporations” Claim (October 2023): The group publicly claimed on the Dark Web to have achieved “one of the biggest leaks of corporations data,” threatening to expose information from numerous companies.
- Attacks on Local Governments and Enterprises: BlackByte has been responsible for attacks on local governments, such as Newburgh, New York, and Augusta, Georgia, as well as companies like Yamaha.
- Rapid Exploitation of VMware ESXi Vulnerability (2024): Cisco Talos observed BlackByte leveraging a newly published vulnerability in VMware ESXi hypervisors (CVE-2024-37085) within days of its disclosure, demonstrating their agility in adapting TTPs.
Associated Malware & Tools
BlackByte operates a diverse toolkit, constantly evolving its custom malware and integrating widely abused legitimate tools:
- BlackByte Ransomware: The core ransomware payload has seen multiple iterations. Early versions were written in C#, while subsequent variants, including BlackByte 2.0 and BlackByte 3.0 (BlackByteNT), have been re-engineered in Go, .NET, C++, or combinations thereof, reflecting continuous development to enhance encryption, evade detection, and adapt to security measures. BlackByte 2.0 introduced more robust encryption without a common decryptor key, improved privilege escalation, and defense evasion capabilities.
- ExByte (Infostealer.Exbyte): This is a custom GoLang-based data exfiltration tool developed and frequently used by BlackByte operators to automate the collection and upload of sensitive files to external servers, such as Mega.co.nz.
- Cobalt Strike: A powerful and legitimate penetration testing tool, heavily abused by BlackByte for post-exploitation activities, including remote access, lateral movement, and establishing command and control (C2) channels.
- AnyDesk: Another legitimate remote desktop application, BlackByte operators often install AnyDesk as a service on compromised machines for persistent remote access and lateral movement within the network.
- Living-off-the-Land Binaries (LoLBins): BlackByte frequently abuses common system binaries and legitimate commercial tools like AdFind (for Active Directory enumeration), Arp (for host discovery), Mimikatz (for credential dumping), PsExec (for remote execution), NetScan (for network service enumeration), and PowerView (for network reconnaissance) to blend malicious activity with normal system operations and avoid detection.
- WinRAR: In some earlier operations, WinRAR was used to archive files prior to exfiltration.
Current Status
BlackByte remains an Active and evolving threat actor. Recent reporting from Cisco Talos in August 2024 indicates that the group continues to operate aggressively, leveraging its established TTPs while demonstrating a remarkable speed in adapting to and exploiting newly disclosed vulnerabilities. For instance, they were observed exploiting CVE-2024-37085, a vulnerability in VMware ESXi hypervisors, within days of its publication.
While BlackByte’s operational intensity persists, Cisco Talos also noted a significant decline in the number of victims publicly posted on the group’s leak site in 2024 (only three victims reported by August 2024, compared to 41 in 2023). This discrepancy suggests that BlackByte may be selectively posting only a fraction (estimated 20-30%) of their successful attacks, or potentially altering their extortion strategies. References to BlackByte’s ongoing activity in 2025 and 2026 within various security reports further underscore their continued presence and adaptation in the ransomware landscape. The group’s ability to quickly incorporate new vulnerabilities and continuously iterate their tooling highlights a persistent and adaptive threat that organizations must remain vigilant against.
Related content
Play Ransomware (G1040) Threat Profile: Evolving Tactics and Global Impact
Adversary ProfileAkira Ransomware: A Persistent and Evolving Global Threat
Adversary ProfileINC Ransom (G1032) Threat Actor Profile: Operations, Tactics, and Evolution
Adversary ProfileCarbanak Threat Profile: Financial Apex Predators
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call