Skip to main content

Operator dossier

Blackbyte is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 147 public victims claimed by this operator between October 4, 2021 and July 30, 2025. BlackByte is a ransomware-as-a-service (RaaS) operation that emerged in October 2021, primarily motivated by financial gain through double extortion tactics targeting organizations across multiple sectors. The group is suspected to operate from Russia or former Soviet states based on their use of Russian-language forums and avoidance of targeting organizations in Commonwealth of Independent States countries, though they maintain no confirmed links to other established ransomware families. BlackByte operators typically gain initial access through vulnerable Microsoft Exchange servers, phishing campaigns, and exploitation of remote desktop protocol (RDP) services, employing tools such as Cobalt Strike for lateral movement and data exfiltration before deploying their custom ransomware payload that uses AES-256 encryption with RSA-2048 key protection. The group has demonstrated particular focus on critical infrastructure sectors, with the FBI and CISA issuing joint advisories in February 2022 highlighting attacks against organizations in government, healthcare, manufacturing, and education sectors, including notable incidents affecting San Francisco's transportation authority and multiple healthcare systems across the United States. BlackByte remains active as of 2024, continuing to evolve their tactics and maintain their leak site for publishing stolen data from victims who refuse to pay ransoms.

Most-targeted sectors

Most-affected countries

Recent disclosures by Blackbyte

All 147 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Blackbyte

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Blackbyte

147 victims indexed · first seen 5 years ago · last activity 1 year ago

147
Victims indexed
#57 of 364 tracked operators
3y 9m
Active period
Oct 2021 → Jul 2025
10
Countries hit
top United States · 15

At a glance

Status
inactive
First seen
5 years ago
Last activity
1 year ago
Onion sites
11 known endpoints
Primary sector
Not Found · 8 hits

About

BlackByte is a ransomware-as-a-service (RaaS) operation that emerged in October 2021, primarily motivated by financial gain through double extortion tactics targeting organizations across multiple sectors. The group is suspected to operate from Russia or former Soviet states based on their use of Russian-language forums and avoidance of targeting organizations in Commonwealth of Independent States countries, though they maintain no confirmed links to other established ransomware families. BlackByte operators typically gain initial access through vulnerable Microsoft Exchange servers, phishing campaigns, and exploitation of remote desktop protocol (RDP) services, employing tools such as Cobalt Strike for lateral movement and data exfiltration before deploying their custom ransomware payload that uses AES-256 encryption with RSA-2048 key protection. The group has demonstrated particular focus on critical infrastructure sectors, with the FBI and CISA issuing joint advisories in February 2022 highlighting attacks against organizations in government, healthcare, manufacturing, and education sectors, including notable incidents affecting San Francisco's transportation authority and multiple healthcare systems across the United States. BlackByte remains active as of 2024, continuing to evolve their tactics and maintain their leak site for publishing stolen data from victims who refuse to pay ransoms.

References

22 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2022-03-01T00:00:00+00:00 · 82022-05-01T00:00:00+00:00 · 82022-06-01T00:00:00+00:00 · 22022-07-01T00:00:00+00:00 · 32022-08-01T00:00:00+00:00 · 52022-09-01T00:00:00+00:00 · 62022-10-01T00:00:00+00:00 · 72022-11-01T00:00:00+00:00 · 42022-12-01T00:00:00+00:00 · 12023-01-01T00:00:00+00:00 · 62023-02-01T00:00:00+00:00 · 22023-03-01T00:00:00+00:00 · 42023-04-01T00:00:00+00:00 · 92023-05-01T00:00:00+00:00 · 42023-06-01T00:00:00+00:00 · 62023-07-01T00:00:00+00:00 · 22023-08-01T00:00:00+00:00 · 12023-09-01T00:00:00+00:00 · 62023-10-01T00:00:00+00:00 · 12024-03-01T00:00:00+00:00 · 12024-06-01T00:00:00+00:00 · 32024-07-01T00:00:00+00:00 · 22024-09-01T00:00:00+00:00 · 12025-07-01T00:00:00+00:00 · 9
2022-03-01T00:00:00+00:002025-07-01T00:00:00+00:00

Top countries

🇺🇸 United States
15
🇬🇧 United Kingdom
5
🇧🇷 Brazil
4
🇮🇹 Italy
4
🇸🇪 Sweden
2
🇵🇱 Poland
2
🇦🇷 Argentina
1
🇨🇦 Canada
1

Top sectors

Government
6
Healthcare
3
Manufacturing
3
Education
3
Finance
3
Technology
2
Energy
2
Transportation
2

MITRE ATT&CK

49 techniques · 13 tactics

Tactics

CollectionCommand And ControlCredential AccessDefense EvasionDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationResource Development

Techniques

Recent victims

Loading…

Onion infrastructure

11 known
  • http://53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion
  • http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion
  • http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion
  • http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion/
  • http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion
  • http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion/
  • http://dounczge5jhw4iztnnpzp54kd4ot3tikhjsimurtcewqssgye6vvrhqd.onion
  • http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion
  • http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion
  • http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion
  • http://tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Blackbyte posts a victim.

Add Blackbyte to your watchlist — Pro pings you within 5 minutes of any new Blackbyte leak-site post, Telegram callout, or affiliate-rebrand inference.