{"id":5714,"date":"2024-09-09T17:11:17","date_gmt":"2024-09-09T15:11:17","guid":{"rendered":"https:\/\/www.numeryx.fr\/blackbyte-cybercriminal-group-specializing-in-ransomware\/"},"modified":"2024-09-13T15:48:31","modified_gmt":"2024-09-13T13:48:31","slug":"blackbyte-cybercriminal-group-specializing-in-ransomware","status":"publish","type":"post","link":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/","title":{"rendered":"BlackByte, cybercriminal group specializing in Ransomware"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">BlackByte combines proven techniques with recently disclosed vulnerabilities to support its ongoing attacks<\/h2>\n\n<ul class=\"wp-block-list\">\n<li>The BlackByte ransomware group continues to exploit tactics, techniques and procedures (TTPs) that have formed the basis of its methods since its inception, continually adapting its use of vulnerable drivers to bypass security protections and deploying ransomware capable of autonomous, worm-like propagation.<br\/><\/li>\n\n\n\n<li>BlackByte uses techniques that deviate from its established methods, such as exploiting the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">CVE-2024-37085 <\/mark>vulnerability &#8211; an authentication bypass flaw in VMware ESXi &#8211; shortly after its disclosure, and using a victim&#8217;s authorized remote access mechanism rather than deploying a commercial remote administration tool like AnyDesk.<br\/><\/li>\n\n\n\n<li>A new iteration of BlackByte encryption that adds the &#8221; <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">blackbytent_h<\/mark> &#8221; file extension to encrypted files, drops four vulnerable driver files compared to the three previously observed, and uses the victim&#8217;s Active Directory credentials to propagate.<br\/><\/li>\n\n\n\n<li>The BlackByte group is more active than its data leak site might suggest, where only 20-30% of successful attacks result in an extortion message.<\/li>\n<\/ul>\n\n<p><strong>BlackByte is a ransomware-as-a-service (RaaS) group<\/strong> believed to be a branch of the infamous Conti ransomware group.\nFirst observed in mid-to-late 2021, their modus operandi includes the use of vulnerable drivers to bypass security controls, the deployment of self-propagating ransomware with worm-like capabilities, and the use of known system binaries (LoLBins) as well as other legitimate commercial tools in their attack chain. <\/p>\n\n<p>BlackByte has rewritten its ransomware binary over time, with versions programmed in <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Go<\/mark><em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">, <\/mark><\/em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">.NET, C++, or a combination of these languages<\/mark>.\nThe group&#8217;s apparent efforts to continuously improve its tools, operations and even its data leak site are well documented. <\/p>\n\n<h2 class=\"wp-block-heading\">Initial access<\/h2>\n\n<p>In a recent BlackByte ransomware attack, the threat actor gained initial access using valid credentials to access the victim organization&#8217;s VPN.\nTelemetry limitations and the loss of evidence after the ransomware encryption event prevented Team IR from determining whether the credentials had been brute-force obtained on the VPN interface or were already known to the adversary prior to the attack.\nHowever, IR Teams has moderate confidence that brute-force authentication facilitated by internet scanning was the initial access vector, based on the following observations:  <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The account initially compromised by the adversary<\/mark><\/strong> had a basic naming convention and, reportedly, a weak password.<\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The VPN interface<\/mark><\/strong> interface could have allowed a domain account to authenticate without multi-factor authentication (MFA) if the target account had a specific configuration in Active Directory.<\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">BlackByte has a track record<\/mark><\/strong> of researching and exploiting publicly available vulnerabilities, such as the ProxyShell vulnerability in Microsoft Exchange Server.<\/li>\n<\/ul>\n\n<p>Given BlackByte&#8217;s history of exploiting publicly available vulnerabilities for initial access, using the VPN for remote access may represent a slight change in technique or could be opportunistic.\nUsing the victim&#8217;s VPN for remote access also offers the adversary other advantages, including reduced visibility from the organization&#8217;s EDR (endpoint detection and response). <\/p>\n\n<h2 class=\"wp-block-heading\">Recognition and enumeration<\/h2>\n\n<p>After gaining initial access to the environment, the adversary managed to elevate his privileges by compromising two accounts at Domain Admin level.\nOne of these accounts was used to access the organization&#8217;s VMware vCenter server and, shortly afterwards, create Active Directory domain objects for individual VMware ESXi hypervisors, thereby integrating them into the domain.   <\/p>\n\n<p>The same account was then used to create and add several other accounts to an Active Directory group called &#8220;ESX Admins&#8221;.\nIR teams believe this user group was created to exploit vulnerability <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">CVE-2024-37085<\/mark>, an authentication bypass in VMware ESXi known to be used by several ransomware groups.\nSuccessful exploitation of this vulnerability grants members of a specific Active Directory group elevated privileges on an ESXi host, enabling control of virtual machines (VMs), modification of host server configuration, and access to system logs, diagnostic tools and performance monitoring.  <\/p>\n\n<p>IR teams observed that the threat actor exploited this vulnerability, which initially received limited attention from the cybersecurity community, within days of its release.\nThis highlights the speed with which ransomware groups like BlackByte can adapt their TTPs to incorporate newly disclosed vulnerabilities, as well as the time and effort invested in identifying potential leads to advance an attack <\/p>\n\n<p>The threat actor accessed other systems, directories and files within each victim environment using protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP).\nAnalysis of system event logs and authentication logs revealed a consistent pattern where the threat actor primarily used NT LAN Manager (NTLM) for authentication, while the organization&#8217;s users primarily used Kerberos.\nThis early NTLM-related activity could reflect authentication attacks such as &#8220;pass the hash&#8221; for lateral movement.\nDynamic analysis of the ransomware binary then revealed consistent use of NTLM for authentication by this file as well   <\/p>\n\n<p>Talos IR also observed the execution of a file named <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">atieclxx.exe<\/mark>&#8220;<\/strong> from the <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C:\\temp\\sys\\<\/mark>&#8220;<\/strong> directory on one of the file servers.\nThe legitimate version of <strong>&#8220;atieclxx.exe&#8221;<\/strong> is normally found in the <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C:\\Windows\\System32<\/mark>&#8220;<\/strong> directory, where it supports system processes associated with AMD graphics cards.\nHowever, when investigating a BlackByte attack, <strong>&#8220;atieclxx.exe&#8221;<\/strong> was executed from the <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C:\\temp\\sys<\/mark>&#8220;<\/strong> directory with the command <strong>atieclxx.exe P@$$w0rd123!!!<\/strong>.\nGiven that BlackByte actors are known to favor the string <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">P@$$w0rd<\/mark>&#8220;<\/strong> when defining account passwords and as input parameters for custom tools, this syntax could indicate attempts to disguise malware &#8211; such as their <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">custom data exfiltration tool, ExByte<\/mark><\/strong> &#8211; into a known or legitimate file.\nIR teams were unable to obtain a copy of the file for analysis.    <\/p>\n\n<p>Finally, the threat actor was observed manipulating security tool configurations via system registry modifications, manually uninstalling EDR from several key systems, and, upon investigation, changing the root password of the organization&#8217;s ESXi hosts.\nImmediately prior to the first sign of file encryption, increased volumes of NTLM authentication attempts and SMB connections were observed between dozens of systems in the environment.\nThis activity was subsequently understood to be characteristic of the ransomware&#8217;s self-propagation mechanism.  <\/p>\n\n<h2 class=\"wp-block-heading\">Data infiltration<\/h2>\n\n<p>The limitations of available telemetry, the effect of the ransomware&#8217;s encryption process and the adversary&#8217;s off-network staging location during the IR Teams investigation prevented a high-confidence assessment of data exfiltration methods and whether exfiltration had taken place.\nAs mentioned in previous sections, the possible use of BlackByte&#8217;s customized data exfiltration tool, <strong>ExByte<\/strong>, was observed, but could not be confirmed. <\/p>\n\n<h2 class=\"wp-block-heading\">Ransomware execution<\/h2>\n\n<p><strong>Similarities with previous reports<\/strong><\/p>\n\n<p>In recent cases, the BlackByte ransomware binary, <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">host.exe<\/mark>&#8221; <\/strong>, was executed from the same directory &#8211; <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C:\\Windows<\/mark><\/strong> &#8221; &#8211; on all victims investigated by teamsIR.\nThe command syntax used by the adversary in each attack &#8211; <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C:\\Windows\\host.exe -s [cha\u00eene num\u00e9rique \u00e0 8 chiffres] svc<\/mark><\/strong>&#8211; and the behavior of the ransomware binary are consistent with previous analyses of the BlackByteNT binary by <strong><u>Microsoft<\/u><\/strong>, <strong><u>DuskRise<\/u><\/strong>, <strong><u>Acronis<\/u><\/strong> and others.\nSimilarities include :  <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The ransomware binary will not execute without the correct eight-digit numeric string passed to the &#8220;-s&#8221; parameter.<\/mark><\/strong> This eight-digit numerical string was the only element of the command syntax that varied between victims.\nIn one attack, the adversary used two different encryptors sequentially, each with its own <strong>&#8220;-s&#8221;<\/strong> parameter value. parameter value, although it&#8217;s not clear why multiple encryptors were used. <\/li>\n<\/ul>\n\n<ul class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The &#8220;svc&#8221; parameter causes the ransomware to be installed as a service<\/mark><\/strong>This seemed to turn an infected system into an additional propagator in the ransomware&#8217;s worm-like propagation behavior.\nSMB and NTLM authentications were observed against hosts accessed after the creation of the ransomware service, resulting in several waves of encryption hours after the initial event. <\/li>\n<\/ul>\n\n<ul class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The ransomware binary creates and runs mainly from the &#8220;C:\\SystemData&#8221; directory<\/mark>.<\/strong>\nSeveral common files are created in this directory on all BlackByte victims, including a text file called <strong>&#8220;MsExchangeLog1.log&#8221;,<\/strong> which appears to be a process-tracking log where execution steps are recorded as comma-separated values <strong>&#8220;q&#8221;, &#8220;w&#8221; and &#8220;b&#8221;,<\/strong> as shown in the following screenshot. <\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"674\" height=\"308\" src=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image1.png\" alt=\"Figure 1: Contents of MsExchangeLog1.log at runtime\" class=\"wp-image-5015\" style=\"width:724px;height:auto\" srcset=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image1.png 674w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image1-300x137.png 300w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><figcaption class=\"wp-element-caption\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Figure 1: Contents of MsExchangeLog1.log at runtime<\/mark><\/figcaption><\/figure><\/div>\n<ul class=\"wp-block-list\">\n<li>After a successful execution, the ransomware binary executed the command :<\/li>\n<\/ul>\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/c ping 1.1.1[.]1 -n 10 &gt; Nul &amp; fsutil file setZeroData offset=0 length=503808 c:\\windows\\host.exe &amp; Del c:\\windows\\host.exe \/F \/Q &#8216;<\/mark><\/strong>which, after a delay, sets the contents of the file to zero and deletes itself.\nThis general command structure has been observed in various BlackByte tools since 2022. <\/p>\n\n<h2 class=\"wp-block-heading\">Innovative observations<\/h2>\n\n<p>IR teams have observed some differences in recent BlackByte attacks.\nIn particular, the encrypted files on all victims have been rewritten with the <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">blackbytent_h<\/mark>&#8221; <\/strong> file extension, which has not yet appeared in public reports. <\/p>\n\n<p>This latest version of the encryptor also drops four vulnerable drivers as part of BlackByte&#8217;s usual <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Bring Your Own Vulnerable Driver (BYOVD)<\/mark><\/strong> technique <strong>.<\/strong><\/p>\n\n<p>All four drivers were dropped by the encryptor binary in all the BlackByte attacks examined by IR teams, each with a similar naming convention &#8211; eight random alphanumeric characters followed by an underscore and an iterative numeric value.\nUsing <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">AM35W2PH<\/mark>&#8220;<\/strong> as a fictitious example, vulnerable drivers would appear in the same order as : <\/p>\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>&#8220;AM35W2PH<\/strong> &#8221; &#8211; <strong>RtCore64.sys<\/strong><\/mark>, a driver originally used by MSI Afterburner, a system overclocking utility.<\/li>\n\n\n\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>&#8220;AM35W2PH_1<\/strong> &#8221; &#8211; <strong>DBUtil_2_3.sys<\/strong><\/mark>, a driver that is part of the Dell Client firmware update utility.<\/li>\n\n\n\n<li> <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>&#8220;AM35W2PH_2<\/strong> &#8221; &#8211; <strong>zamguard64.sys<\/strong><\/mark>, a driver that is part of the Zemana Anti-Malware (ZAM) application.<\/li>\n\n\n\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>&#8220;AM35W2PH_3<\/strong> &#8221; &#8211; <strong>gdrv.sys<\/strong><\/mark>, a driver that is part of the GIGABYTE Tools software package for GIGABYTE motherboards.<\/li>\n<\/ul>\n\n<p>The inclusion of the file <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">zamguard64.sys<\/mark>&#8221; <\/strong>, also known as <strong>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Terminator<\/mark>&#8221; <\/strong>, is particularly interesting due to recent reports from other security researchers on its prevalence, and also because the ransomware binary created two service-related registry keys associated with this file during runtime, then deleted them later in the execution process.\nUsing the same fictitious string above, these registry keys would be :   <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\AM35W2PH_2<\/mark><\/strong><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\AM35W2PH_2\\SECURITY<\/mark><\/strong><\/li>\n<\/ul>\n\n<p>During dynamic analysis of several BlackByte ransomware binaries, IR Teams discovered that the file attempted an enumeration of network shares via the function <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">NetShareEnumAll<\/mark><\/strong> pipe named <strong>&#8216;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">SRVSVC<\/mark>&#8216;<\/strong> using specific user accounts associated with the victim.\nSince this analysis was carried out in a controlled, sandboxed environment, these accounts could only have appeared in network traffic if they were embedded in the ransomware binary itself.\nThis discovery gives IR teams great confidence that the per-victim customization of BlackByte&#8217;s ransomware encryptor includes the incorporation of certain forms of stolen credentials into the binary to support its worm-like propagation capability.  <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"842\" height=\"274\" src=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image2.jpg\" alt=\"Figure 2: Victim identifiers observed during ransomware execution in an isolated sandbox environment\" class=\"wp-image-5016\" srcset=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image2.jpg 842w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image2-300x98.jpg 300w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image2-768x250.jpg 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><figcaption class=\"wp-element-caption\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Figure 2: Victim identifiers observed during ransomware execution in an isolated sandbox environment<\/mark><\/figcaption><\/figure><\/div>\n<h3 class=\"wp-block-heading\"><strong>Other behaviors of interest observed<\/strong><\/h3>\n\n<p>Other interesting behaviors observed during the dynamic analysis of this version of the ransomware binary include:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Communication with <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">msdl.microsoft[.]com<\/mark> via IP address <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">204.79.197[.]219<\/mark> at the start of the execution process.\nThis site is associated with the Microsoft Public Symbol Server.\nBlackByte tools have long been observed downloading and saving debugging symbols directly from Microsoft.  <br\/><\/li>\n\n\n\n<li>Deactivation of anti-virus and anti-spyware protection via the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER<\/mark>registry key <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">and addition of the value &#8220;*.exe<\/mark>&#8221; to the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER<\/mark> registry key <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">.<\/mark><br\/><\/li>\n\n\n\n<li>Removal of system binaries from the &#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C:\\Windows\\System32&#8243;<\/mark>directory<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">, including &#8220;taskmgr.exe&#8221;, &#8220;perfmon.exe&#8221;, &#8220;shutdown.exe&#8221; and &#8220;resmon.exe<\/mark>&#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">.<\/mark><\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><strong>Overview of BYOD use and BlackByte victimology<\/strong><\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"557\" src=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image3-1024x557.jpg\" alt=\"\" class=\"wp-image-5017\" srcset=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image3-1024x557.jpg 1024w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image3-300x163.jpg 300w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image3-768x418.jpg 768w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image3-1536x836.jpg 1536w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image3-2048x1115.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"> <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Figure 3: Top 10 BYOVD exposures by business sector<\/mark><\/figcaption><\/figure><\/div>\n<p>BlackByte&#8217;s victimology is in line with this assessment, with <strong>over 32% of known victims coming from the industrial sector<\/strong> (manufacturing).<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"529\" src=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image4-1024x529.jpg\" alt=\"Figure 4: BlackByte victimology by sector of activity\" class=\"wp-image-5018\" srcset=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image4-1024x529.jpg 1024w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image4-300x155.jpg 300w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image4-768x397.jpg 768w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image4-1536x793.jpg 1536w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image4-2048x1058.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Figure 4: BlackByte victimology by sector of activity<\/mark><\/figcaption><\/figure><\/div>\n<p>These figures are likely to be conservative, given the difference between the number of victims published on the BlackByte data leak site over the past six to nine months and the number identified via telemetry and disclosed in public reports.\nIt is unclear why <strong>only a limited subset &#8211; estimated at between 20% and 30% &#8211; of BlackByte&#8217;s victims are ultimately published<\/strong>. <\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Implications for defenders<\/strong><\/h2>\n\n<p>BlackByte&#8217;s progress in programming languages, from <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C#<\/mark><\/strong> \u00e0 <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Go<\/mark><\/strong>and more recently to <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">C\/C++<\/mark><\/strong> in the latest version of its encryptor &#8211; <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">BlackByteNT<\/mark><\/strong> &#8211; reflects a deliberate effort to strengthen the resilience of malware against detection and analysis.\nComplex languages such as <strong>C\/C++<\/strong> enable the incorporation of advanced anti-analysis and anti-debugging techniques, observed in BlackByte&#8217;s tools during detailed analyses carried out by other security researchers. <\/p>\n\n<p>The self-propagating nature of the BlackByte encryptor presents additional challenges for defenders.\nThe use of the <strong>BYOVD<\/strong> <strong>(Bring Your Own Vulnerable Driver)<\/strong> technique accentuates these difficulties, as it can limit the effectiveness of security controls during containment and eradication efforts.\nHowever, given that this current version of the encryptor appears to rely on embedded credentials stolen from the victim&#8217;s environment, a company-wide reset of user credentials and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>Kerberos<\/strong> <\/mark>tickets would be highly effective for containment.\nA review of <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>SMB<\/strong> <\/mark>traffic emanating from the encryptor at runtime will also reveal the specific accounts used to propagate the infection across the network.   <\/p>\n\n<p>From a broader perspective on how ransomware operates, the flexibility inherent in the <a href=\"https:\/\/www.numeryx.fr\/en\/news-en-2\/blog-en\/what-is-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>RaaS<\/strong> <strong>(Ransomware-as-a-Service) model<\/strong><\/a> model enables threat actors to rapidly counter new defensive strategies developed by cybersecurity experts, by adapting and updating their tools.\nThis creates a perpetual race between cybercriminals and defenders.\nAs BlackByte and other ransomware groups continue to evolve, organizations will need to invest in adaptive and resilient security controls, as well as develop measures capable of keeping pace with a dynamic and diverse threat landscape.  <\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Recommendations for defenders<\/strong><\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Implement multi-factor authentication (MFA)<\/mark><\/strong> for all remote access and cloud connections.\nPrioritize &#8220;verified push&#8221; as the MFA method over less secure options such as SMS or phone calls. <br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Auditing VPN configuration<\/mark><\/strong>.\nConfirm that obsolete VPN policies are removed, and that authentication attempts that do not match a current VPN policy are rejected by default.\nRestrict VPN access only to necessary network segments and services, limiting exposure of critical assets such as domain controllers.  <br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Set up alerts<\/mark><\/strong> for any changes in privileged groups, such as the creation of new user groups or the addition of accounts to domain administrators.\nEnsure that administrative privileges are granted only when necessary, and regularly audited thereafter.\nA Privileged Access Management (PAM) solution can be used to streamline the control and monitoring of privileged accounts.  <br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Limit or disable the use of NTLM<\/mark><\/strong> where possible, and impose more secure authentication methods such as Kerberos instead.\nLimit the rate of authentication attempts and failures on publicly and internally exposed interfaces to prevent automated authentication scans. <br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Disable SMBv1<\/mark><\/strong> and enforce SMB signing and encryption to protect against lateral movement and malware propagation.<br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Deploy EDR clients<\/mark><\/strong> clients on all systems in the environment.\nSet up an administrator password on EDR clients to prevent unauthorized manipulation or deletion of the client. <br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Disable supplier accounts<\/mark><\/strong> and remote access capabilities when not in active use.<br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Create detections for unauthorized configuration changes<\/mark><\/strong> that may be made on various systems in the environment, including changes to Windows Defender policies, unauthorized modifications to Group Policy Objects, and the creation of unusual scheduled tasks and installed services.<br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Develop and document corporate password reset procedures<\/mark><\/strong> to ensure that all user credentials can be reset quickly and completely.\nInclude procedures for renewing critical Kerberos tickets in this documentation. <br\/><\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Strengthen and patch ESX hosts<\/mark><\/strong> hosts to reduce the attack surface of these critical servers as much as possible, and ensure that newly discovered vulnerabilities are patched as quickly as possible.<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><strong>MITRE ATT&amp;CK mapping of TTP News<\/strong><\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"499\" src=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image5-1024x499.jpg\" alt=\"BlackByte: MITRE ATT&amp;amp;CK mapping of TTP News\" class=\"wp-image-5020\" srcset=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image5-1024x499.jpg 1024w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image5-300x146.jpg 300w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image5-768x374.jpg 768w, https:\/\/www.numeryx.fr\/file\/2024\/09\/BlackByte-Image5.jpg 1027w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n<h2 class=\"wp-block-heading\"><strong>IOCs<\/strong><\/h2>\n\n<p>NOTE: Some IOCs have been retained to avoid potential identification of victims.<\/p>\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">RtCore64.sys<\/mark><\/strong> \u2013 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd<br\/><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">DBUtil_2_3.sys<\/mark><\/strong> \u2013 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5<br\/><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">zamguard64.sys<\/mark><\/strong> \u2013 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91<br\/><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">gdrv.sys<\/mark><\/strong> \u2013 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427<\/p>\n","protected":false},"excerpt":{"rendered":"<p>BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.<\/p>\n","protected":false},"author":1,"featured_media":5650,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[174,178],"tags":[176],"class_list":["post-5714","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-our-blog","category-cybersecurity","tag-cybersecurity"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>BlackByte, cybercriminal group specializing in Ransomware - Numeryx<\/title>\n<meta name=\"description\" content=\"BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BlackByte, cybercriminal group specializing in Ransomware - Numeryx\" \/>\n<meta property=\"og:description\" content=\"BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"Numeryx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/numeryx\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-09T15:11:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-13T13:48:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2240\" \/>\n\t<meta property=\"og:image:height\" content=\"1260\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Numeryx\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@numeryx\" \/>\n<meta name=\"twitter:site\" content=\"@numeryx\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"NewsArticle\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\"},\"author\":{\"name\":\"Numeryx\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/#\/schema\/person\/96e2acddab450f59f4f2d8472eb9aa01\"},\"headline\":\"BlackByte, cybercriminal group specializing in Ransomware\",\"datePublished\":\"2024-09-09T15:11:17+00:00\",\"dateModified\":\"2024-09-13T13:48:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\"},\"wordCount\":2599,\"publisher\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Blog\",\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\",\"url\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\",\"name\":\"BlackByte, cybercriminal group specializing in Ransomware - Numeryx\",\"isPartOf\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg\",\"datePublished\":\"2024-09-09T15:11:17+00:00\",\"dateModified\":\"2024-09-13T13:48:31+00:00\",\"description\":\"BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage\",\"url\":\"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg\",\"contentUrl\":\"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg\",\"width\":2240,\"height\":1260},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.numeryx.fr\/en\/home\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BlackByte ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/#website\",\"url\":\"https:\/\/www.numeryx.fr\/en\/\",\"name\":\"Numeryx\",\"description\":\"Conseil en IT &amp; \u00e9dition logiciel technologique\",\"publisher\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/#organization\"},\"alternateName\":\"Numeryx\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.numeryx.fr\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/#organization\",\"name\":\"Numeryx\",\"url\":\"https:\/\/www.numeryx.fr\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.numeryx.fr\/file\/2024\/03\/conseil-et-integration.jpg\",\"contentUrl\":\"https:\/\/www.numeryx.fr\/file\/2024\/03\/conseil-et-integration.jpg\",\"width\":1920,\"height\":500,\"caption\":\"Numeryx\"},\"image\":{\"@id\":\"https:\/\/www.numeryx.fr\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/numeryx\/\",\"https:\/\/x.com\/numeryx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/#\/schema\/person\/96e2acddab450f59f4f2d8472eb9aa01\",\"name\":\"Numeryx\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.numeryx.fr\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cf46b78a82359587b1938f08718fda58d6c5fd1bbbe2dc6cef76512c4ff25baf?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cf46b78a82359587b1938f08718fda58d6c5fd1bbbe2dc6cef76512c4ff25baf?s=96&d=mm&r=g\",\"caption\":\"Numeryx\"},\"sameAs\":[\"https:\/\/www.numeryx.fr\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BlackByte, cybercriminal group specializing in Ransomware - Numeryx","description":"BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"BlackByte, cybercriminal group specializing in Ransomware - Numeryx","og_description":"BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.","og_url":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/","og_site_name":"Numeryx","article_publisher":"https:\/\/www.facebook.com\/numeryx\/","article_published_time":"2024-09-09T15:11:17+00:00","article_modified_time":"2024-09-13T13:48:31+00:00","og_image":[{"width":2240,"height":1260,"url":"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg","type":"image\/jpeg"}],"author":"Numeryx","twitter_card":"summary_large_image","twitter_creator":"@numeryx","twitter_site":"@numeryx","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/"},"author":{"name":"Numeryx","@id":"https:\/\/www.numeryx.fr\/en\/#\/schema\/person\/96e2acddab450f59f4f2d8472eb9aa01"},"headline":"BlackByte, cybercriminal group specializing in Ransomware","datePublished":"2024-09-09T15:11:17+00:00","dateModified":"2024-09-13T13:48:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/"},"wordCount":2599,"publisher":{"@id":"https:\/\/www.numeryx.fr\/en\/#organization"},"image":{"@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg","keywords":["Cybersecurity"],"articleSection":["Blog","Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/","url":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/","name":"BlackByte, cybercriminal group specializing in Ransomware - Numeryx","isPartOf":{"@id":"https:\/\/www.numeryx.fr\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg","datePublished":"2024-09-09T15:11:17+00:00","dateModified":"2024-09-13T13:48:31+00:00","description":"BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group.","breadcrumb":{"@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#primaryimage","url":"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg","contentUrl":"https:\/\/www.numeryx.fr\/file\/2024\/09\/Blackbyte-Ransomware-Blog.jpg","width":2240,"height":1260},{"@type":"BreadcrumbList","@id":"https:\/\/www.numeryx.fr\/en\/latest-news\/our-blog\/blackbyte-cybercriminal-group-specializing-in-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.numeryx.fr\/en\/home\/"},{"@type":"ListItem","position":2,"name":"BlackByte ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.numeryx.fr\/en\/#website","url":"https:\/\/www.numeryx.fr\/en\/","name":"Numeryx","description":"Conseil en IT &amp; \u00e9dition logiciel technologique","publisher":{"@id":"https:\/\/www.numeryx.fr\/en\/#organization"},"alternateName":"Numeryx","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.numeryx.fr\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.numeryx.fr\/en\/#organization","name":"Numeryx","url":"https:\/\/www.numeryx.fr\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.numeryx.fr\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.numeryx.fr\/file\/2024\/03\/conseil-et-integration.jpg","contentUrl":"https:\/\/www.numeryx.fr\/file\/2024\/03\/conseil-et-integration.jpg","width":1920,"height":500,"caption":"Numeryx"},"image":{"@id":"https:\/\/www.numeryx.fr\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/numeryx\/","https:\/\/x.com\/numeryx"]},{"@type":"Person","@id":"https:\/\/www.numeryx.fr\/en\/#\/schema\/person\/96e2acddab450f59f4f2d8472eb9aa01","name":"Numeryx","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.numeryx.fr\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cf46b78a82359587b1938f08718fda58d6c5fd1bbbe2dc6cef76512c4ff25baf?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cf46b78a82359587b1938f08718fda58d6c5fd1bbbe2dc6cef76512c4ff25baf?s=96&d=mm&r=g","caption":"Numeryx"},"sameAs":["https:\/\/www.numeryx.fr"]}]}},"_links":{"self":[{"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/posts\/5714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/comments?post=5714"}],"version-history":[{"count":8,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/posts\/5714\/revisions"}],"predecessor-version":[{"id":5999,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/posts\/5714\/revisions\/5999"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/media\/5650"}],"wp:attachment":[{"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/media?parent=5714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/categories?post=5714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.numeryx.fr\/en\/wp-json\/wp\/v2\/tags?post=5714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}