THREAT ACTOR

BlackByte

7
THREAT LEVEL
EMERGENCE DATE
Jul 2021
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Suspected connections to disbanded Conti ransomware operation based on technical similarities and operational timing

DEscription

BlackByte emerged as a ransomware-as-a-service operation in July 2021, rapidly evolving into a technically advanced and operationally resilient ransomware threat. The group shows exceptional capabilities in cross-platform targeting, advanced evasion techniques, and strategic victim selection while operating with enhanced operational security that conceals the majority of successful attacks from public disclosure.

The threat actor has successfully adapted to law enforcement pressure and continues active operations through 2025, with estimated activity levels significantly higher than public reporting suggests due to selective disclosure practices.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

The group operates as a RaaS platform with comprehensive affiliate management, technical support systems, and revenue sharing models typical ransomware operations. Potential connections to the disbanded Conti ransomware group have been observed based on TTP similarities, timing of emergence, and shared technical capabilities including worm-like propagation methods and volume shadow copy deletion techniques. Russian-nexus operations are suspected based on geographic targeting patterns that avoid Russian and CIS countries, consistent with operational security practices common among Eastern European organizations.

Current Status: Active with enhanced operational security by August 2025, with decreasing presence as of October 2025.

Threat Level:
7

Origins and Methodology

The operation emerged with worm-like propagation capabilities that enable autonomous network spreading, setting it apart through BYOVD (Bring Your Own Vulnerable Driver) techniques using multiple vulnerable drivers simultaneously. Unlike typical ransomware operations that focus on volume, the threat actor carries out selective targeting with extended network access to maximize data theft before encryption deployment.

Their methodology leverages legitimate administrative tools including AnyDesk and ScreenConnect alongside custom ExByte exfiltration software for direct cloud storage integration. The operation maintains enhanced operational security by publicly disclosing only a fraction of successful attacks while continuing substantial activity levels across targeted sectors.

What is the Evolution of BlackByte Ransomware?
0.1
Formation

Initial emergence in July 2021 coincided with law enforcement pressure on established ransomware actors, positioning the operation to capitalize on market consolidation and affiliate migration from disrupted platforms.

Building upon C#-based ransomware implementation and traditional RaaS affiliate recruitment through underground forums, the group focused on establishing market presence and technical capabilities while developing comprehensive affiliate support networks.

0.2
EVOLUTION

The operation has undergone substantial technical development through three distinct iterations. Initial months following emergence featured C#-based implementation with basic encryption capabilities. Around 2022-2023, technical development introduced Go-based implementation with BYOVD technique integration using vulnerable drivers including RTCore64.sys and DBUtil_2_3.sys for SYSTEM-level access.

Current operations since 2024 feature BlackByteNT written in C/C++ with cross-platform capabilities, VMware ESXi targeting via CVE-2024-37085, and worm-like self-propagation abilities demonstrating rapid vulnerability integration within days of disclosure.

0.3
Lineage/Connections

Technical analysis indicates potential connections to disbanded Conti ransomware operations through shared TTP patterns, timing correlations, and similar worm-capable architectures. Intelligence assessments note medium confidence for attribution connections based on circumstantial evidence including volume shadow copy deletion techniques and SMB-based lateral movement capabilities that align with Conti operational methods.

Which Unique Techniques Does BlackByte Use?

The group employs multi-stage attack chains that leverage both custom tools and legitimate administrative software to achieve comprehensive network compromise.

TECHNIQUE

DETAILS

Infection Vectors

ProxyShell vulnerability exploitation targeting Microsoft Exchange servers through CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207; VPN credential brute-forcing with MFA fatigue attack integration; VMware ESXi authentication bypass via CVE-2024-37085 for hypervisor compromise; legitimate RMM tool abuse for persistent access establishment

Target Selection

Strategic focus on organizations with optimal revenue ranges representing balance of payment capability and security limitations. Concentrated targeting of healthcare systems for maximum disruption leverage alongside manufacturing operations for supply chain impact, and critical infrastructure sectors across numerous countries while deliberately avoiding Russian and CIS-based organizations for operational security

Operational Complexity

Multi-stage attack chains incorporating BYOVD techniques using multiple vulnerable drivers; APT-level tool integration with Cobalt Strike and legitimate software abuse; comprehensive data exfiltration via custom ExByte tool targeting cloud storage platforms; advanced C2 infrastructure with Tor-based communications; rare worm-like self-propagation capabilities enabling autonomous SMB-based lateral movement

Key Features & Technical Details

Technical architecture represents advanced ransomware engineering with cross-platform capabilities and comprehensive evasion mechanisms designed to maximize impact while evading defensive countermeasures.

FEATURE

DETAILS

Encryption Method

Hybrid AES-256 with RSA-4096 or ChaCha20 with Curve25519 schemes ensuring virtually impossible recovery without attacker private keys

File Extension

.blackbytent_h for BlackByteNT encrypted files with version-specific naming conventions

Ransom Note

BB_Readme_file.txt with Bitcoin payment instructions and Tor-based negotiation portal access

Double Extortion

Custom ExByte tool providing direct integration with MEGA, transfer.sh, Gofile cloud platforms

Communication Channels

Tor-based auction sites and encrypted C2 infrastructure with multiple server rotation

Deployment Speed

Compressed attack timeline with worm-like propagation enabling organization-wide encryption within hours

Payment Method

Bitcoin payments through advanced cryptocurrency laundering and mixing services

Operational Model

Professional RaaS with traditional affiliate splits and comprehensive technical support

Activities

Maintaining sustained high-volume operations across global targets with estimated successful attacks numbering in the hundreds annually based on analytical assessments of disclosed versus actual activity levels. The group brings together exceptional operational tempo with rapid scaling capabilities and professional affiliate support structures contributing to consistently high success rates.

Which Industries Are Most Vulnerable to BlackByte?

Recent activity patterns indicate strategic focus on high-value sectors including healthcare systems, manufacturing enterprises, and critical infrastructure organizations. Operations have expanded to target VMware ESXi hypervisors using newly disclosed authentication bypass vulnerabilities, demonstrating rapid adaptation to emerging attack surfaces and cross-platform evolution capabilities.

HAL Most Recent Attacks

Modus Operandi

Comprehensive attack methodologies integrate advanced technical capabilities with strategic operational security, enabling systematic network compromise and data destruction across enterprise environments.

Details

ProxyShell exploitation targeting Microsoft Exchange servers via Exploit Public-Facing Application (T1190); VPN credential brute-forcing through Valid Accounts (T1078) with MFA fatigue integration; VMware ESXi authentication bypass exploitation for hypervisor compromise.

Details

Domain enumeration via Domain Account (T1087.002) using PowerView, AdFind, and native Windows commands; network reconnaissance through Remote System Discovery (T1018) with SoftPerfect NetScan for host identification and asset mapping.

Details

Cobalt Strike beacon deployment via Remote Access Software (T1219) for command and control; AnyDesk and ScreenConnect integration for persistent administrative access; legitimate RMM tool abuse for operational camouflage.

Details

BYOVD implementation via Exploitation for Privilege Escalation (T1068) using RTCore64.sys, DBUtil_2_3.sys, and additional vulnerable drivers; UPX packing through Obfuscated Files or Information (T1027); process injection targeting svchost.exe via Process Injection (T1055).

Details

LSASS memory extraction via LSASS Memory (T1003.001) for credential harvesting; NTDS.dit database theft through NTDS (T1003.003) from domain controllers; ADCS certificate abuse for administrative impersonation.

Details

Tor-based communication infrastructure via Ingress Tool Transfer (T1105) with encrypted channels; multiple C2 server rotation for operational resilience; legitimate certificate abuse for traffic masquerading.

Details

SMB admin share exploitation through SMB/Windows Admin Shares (T1021.002) using compromised credentials; RDP sessions via Remote Desktop Protocol (T1021.001) to critical infrastructure; automated worm-like propagation capabilities.

Details

Custom ExByte tool deployment via Exfiltration to Cloud Storage (T1567.002) for direct cloud platform integration; WinRAR-based archiving through Archive via Utility (T1560.001); automated document and credential collection.

Details

ASPX web shell deployment via Web Shell (T1505.003) in Exchange server directories; registry persistence through Registry Run Keys (T1547.001); scheduled task creation for backdoor maintenance.

Details

Organization-wide system encryption causing operational disruption; worm-like propagation enabling rapid network-wide compromise; comprehensive backup destruction creating recovery challenges; critical service interruption across enterprise infrastructure.

Details

Hybrid encryption deployment via Data Encrypted for Impact (T1486) using AES-256/RSA-4096 schemes; partial encryption optimization for performance enhancement; systematic file targeting with size-based thresholds.

Details

Multi-million dollar ransom demands with Bitcoin payment requirements; double extortion tactics threatening data publication; Tor-based negotiation platforms for victim communication.

Details

Volume shadow copy deletion through Inhibit System Recovery (T1490); comprehensive backup system targeting; log destruction for evidence elimination; anti-forensics implementation.

Indicators of Compromise (IOCs)

Operations generate distinctive technical indicators across file systems, network infrastructure, and behavioral patterns that enable detection and attribution of compromise activities.

INDICATOR

DETAILS

File Hashes

SHA256: e837f252af30cc222a1bce815e609a7354e1f9c814baefbb5d45e32a10563759 for ransomware payload
SHA256: 2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 for ExByte exfiltration tool
SHA256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd for RTCore64.sys vulnerable driver
SHA256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 for Cobalt Strike beacon

IP Addresses

185.93.6.31 (C2 infrastructure server)
109.206.242.59 (C2 infrastructure server)

Domains/URLs

myvisit.alteksecurity.org (C2 communication domain)
temp.sh (C2 communication domain)
g.api.mega.co.nz (ExByte exfiltration endpoint)

File Paths

BB_Readme_file.txt (ransom note filename)
C:\SystemData\MsExchangeLog1.log (operational log directory)
C:\SystemData\rENEgOtiAtES (vulnerable driver staging)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (registry persistence)

File Extensions

.blackbytent_h (encrypted file extension for variant)

Exploits and Vulnerabilities

CVE

CVSS SCORE

VULNERABILITY NAME

DESCRIPTION

CVE-2021-34473

9.8 (Critical)

Microsoft Exchange ProxyShell RCE

Server-side request forgery enabling remote code execution through admin context exploitation in Exchange servers

CVE-2021-34523

9.8 (Critical)

Microsoft Exchange Privilege Escalation

Authentication bypass vulnerability allowing domain administrator impersonation and privilege escalation

CVE-2021-31207

7.2 (High)

Microsoft Exchange Security Feature Bypass

File write operations bypass through authentication vulnerability enabling arbitrary file placement

CVE-2024-37085

6.8 (Medium)

VMware ESXi Authentication Bypass

Hypervisor authentication bypass enabling ESXi Admins AD group manipulation and privilege escalation

CVE-2019-16098

7.8 (High)

MSI Afterburner RTCore64.sys Privilege Escalation

Vulnerable driver exploitation enabling BYOVD techniques and security product bypass