Skip to Content

New BlackByte Exbyte ransomware tactic

Updated on 2022-10-31

The BlackByte ransomware gang is claiming responsibility for an attack on Asahi Group Company Ltd., a precision metal manufacturer, and stealing a massive amount of financial and sales data. Read more: BlackByte ransomware group hit Asahi Group Holdings, a precision metal manufacturing and metal solution provider

Updated on 2022-10-24

Broadcom’s Symantec team published a report on Friday on Exbyte, a data exfiltration toolkit used by one of the affiliates of the Blackbyte RaaS. The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the cloud storage service.

Updated on 2022-10-21

BlackByte ransomware operators have started deploying a new exfiltration tool, named Exbyte, to speed up data theft and upload it to an external server. Read more: Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool

Updated on 2022-10-06

The BlackByte ransomware gang was found using the ‘Bring Your Own Driver’ tactic to evade protections by disabling over 1,000 drivers used by multiple security solutions. Read more: Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse

Updated on 2022-10-05

The Sophos research team published a technical report on Tuesday describing a new technique employed by the BlackByte ransomware. Researchers say the group now abuses a vulnerability in the Rtcore64.sys driver to remove kernel callbacks for EDR software and limit their visibility. Rtcore64.sys is a component of MSI Afterburner, an MSI app for overclocking graphics cards. Read more:

Updated on May 2022

BlackByte threat actor goes global with its ransomware

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.


Cisco Talos has published a report on the BlackByte ransomware crew, which AdvIntel recently connected to the larger Conti operation.

Overview: Advisory Offers BlackByte IoCs and Mitigations

A joint advisory from the FBI and the US Secret Service warns that BlackByte ransomware has been used against organizations in at least three US critical infrastructure sectors. The advisory includes a list of indicators of compromise as well as recommended mitigations.


  • The BlackByte malware bag of tricks includes exploiting unpatched vulnerabilities, particularly on Exchange, and printing ransom notes on all your printers hourly. Ingest the provided IOCs and scan for signs of activity. Also review the mitigations; beyond patching, MFA, and segmentation, consider marking external email and either disabling or adding a hyperlink rewrite security capability.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.