Inactive ransomware operator
← All groupsBlackbyte
147 victims indexed · first seen 5 years ago · last activity 10 months ago
147
Victims indexed
#56 of 348 tracked operators
3y 9m
Active period
Oct 2021 → Jul 2025
10
Countries hit
top United States · 15
At a glance
- Status
- inactive
- First seen
- 5 years ago
- Last activity
- 10 months ago
- Onion sites
- 11 known endpoints
- Primary sector
- Not Found · 8 hits
About
BlackByte is a ransomware-as-a-service (RaaS) operation that emerged in October 2021, primarily motivated by financial gain through double extortion tactics targeting organizations across multiple sectors. The group is suspected to operate from Russia or former Soviet states based on their use of Russian-language forums and avoidance of targeting organizations in Commonwealth of Independent States countries, though they maintain no confirmed links to other established ransomware families. BlackByte operators typically gain initial access through vulnerable Microsoft Exchange servers, phishing campaigns, and exploitation of remote desktop protocol (RDP) services, employing tools such as Cobalt Strike for lateral movement and data exfiltration before deploying their custom ransomware payload that uses AES-256 encryption with RSA-2048 key protection. The group has demonstrated particular focus on critical infrastructure sectors, with the FBI and CISA issuing joint advisories in February 2022 highlighting attacks against organizations in government, healthcare, manufacturing, and education sectors, including notable incidents affecting San Francisco's transportation authority and multiple healthcare systems across the United States. BlackByte remains active as of 2024, continuing to evolve their tactics and maintain their leak site for publishing stolen data from victims who refuse to pay ransoms.
References
22 linksExternal sources curated by the MISP threat-intel community.
- deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape
- redcanary.com/blog/blackbyte-ransomware/
- ic3.gov/Media/News/2022/220211.pdf
- therecord.media/san-francisco-49ers-confirm-ransomware-attack/
- bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/
- picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure
- trellix.com/en-us/about/newsroom/stories/research/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html
- advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group
- zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
- advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups
- blog.talosintelligence.com/the-blackbyte-ransomware-group-is/
- advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape
- securelist.com/modern-ransomware-groups-ttps/106824/
- research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
- news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/
- blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
- de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace
- media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
- trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html
Timeline
24 months2022-03-01T00:00:00+00:002025-07-01T00:00:00+00:00
Top countries
🇺🇸 United States
15
🇬🇧 United Kingdom
5
🇧🇷 Brazil
4
🇮🇹 Italy
4
🇸🇪 Sweden
2
🇵🇱 Poland
2
🇦🇷 Argentina
1
🇨🇦 Canada
1
Top sectors
Not Found
8
Government
6
Healthcare
3
Manufacturing
3
Education
3
Finance
3
Technology
2
Energy
2
MITRE ATT&CK
49 techniques · 13 tacticsTactics
CollectionCommand And ControlCredential AccessDefense EvasionDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationResource Development
Techniques
- T1003OS Credential Dumping
- T1012Query Registry
- T1016System Network Configuration Discovery
- T1018Remote System Discovery
- T1021.001Remote Desktop Protocol
- T1021.002SMB/Windows Admin Shares
- T1036.008Masquerade File Type
- T1041Exfiltration Over C2 Channel
- T1046Network Service Discovery
- T1047Windows Management Instrumentation
- T1053.005Scheduled Task
- T1055Process Injection
- T1055.012Process Hollowing
- T1059.001PowerShell
- T1059.003Windows Command Shell
- T1068Exploitation for Privilege Escalation
- T1070.004File Deletion
- T1071.001Web Protocols
- T1078Valid Accounts
- T1078.002Domain Accounts
- T1082System Information Discovery
- T1087.002Domain Account
- T1105Ingress Tool Transfer
- T1112Modify Registry
- T1134.003Make and Impersonate Token
- T1135Network Share Discovery
- T1136.002Domain Account
- T1140Deobfuscate/Decode Files or Information
- T1190Exploit Public-Facing Application
- T1219Remote Access Tools
- T1480Execution Guardrails
- T1482Domain Trust Discovery
- T1486Data Encrypted for Impact
- T1490Inhibit System Recovery
- T1491.001Internal Defacement
- T1505.003Web Shell
- T1518.001Security Software Discovery
- T1543.003Windows Service
- T1547.001Registry Run Keys / Startup Folder
- T1560Archive Collected Data
- T1562Impair Defenses
- T1562.001Disable or Modify Tools
- T1562.004Disable or Modify System Firewall
- T1567Exfiltration Over Web Service
- T1569.002Service Execution
- T1570Lateral Tool Transfer
- T1583.003Virtual Private Server
- T1608.001Upload Malware
- T1614.001System Language Discovery
Recent victims
Loading…
Onion infrastructure
11 known- http://53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion
- http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion
- http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion
- http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion/
- http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion
- http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion/
- http://dounczge5jhw4iztnnpzp54kd4ot3tikhjsimurtcewqssgye6vvrhqd.onion
- http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion
- http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion
- http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion
- http://tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion
Source
Updated 10 months agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.