Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Apple blocked $7 billion in fraudulent App Store purchases in 4 years

Featured Deal: Save $170 on 1TB of high-speed file storage with FolderFort

Latest Buyer's Guide:    Best web browsers with built in VPN: Boost online privacy

Generic User Avatar

BlackByte Ransomware (.blackbyte) Support Topic

Started by andgx , Jul 19 2021 08:20 AM

  • Please log in to reply
20 replies to this topic

#1 andgx

andgx

  • Avatar image
  • Members
  • 3 posts
  • OFFLINE
    •  
  • Local time:07:13 PM

Posted 19 July 2021 - 08:20 AM

Hello, 

 

We are facing with a new ransom named "Blackbyte"

 

We don't find any information about that, in google, duckduckgo or dark web.

 

 

Anyone has more details? 

 

BlackByte: "HELLO!"
your network has been hacked
 
Your documents, and databases encrypted 
To decrypt your files, you need to purchase our decryptor. 
To decrypt files, follow the instructions below.
 
FULL INSTRUCTION
1) Email us: blackbyte1@onionmail.org
2) Your domain should be in the email header
3) The body of the letter should contain the key given to you in the note.
4) If you do not write to us within the next 3 days, your details will be posted on our auction.
5) To prove that we can decrypt files, we can decrypt 2 files for free, it should be no more than 3 MB and should not contain important information.
6) Don't use 3rd party software to try decrypt your files, you can cause damage and even we won't be able to restore them.
Our auction is available here: 6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion, for access use Tor Browser
 
Your key 
xxxxxxxxxxxxxxxxxx.

Attached Files

  • Attached File  1.png   146.58KB   3 downloads
  • Attached File  2.png   127.98KB   0 downloads

Edited by quietman7, 19 September 2021 - 04:14 PM.

BC AdBot (Login to Remove)

 

#2 thomascnk

thomascnk

  • Avatar image
  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:08:13 PM

Posted 19 July 2021 - 09:53 AM

we also faced with blackbyte.


#3 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,960 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 19 July 2021 - 10:43 AM

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results

 
If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 (Michael Gillespie) to manually inspect the files and check for possible file markers.
 

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,058 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:11:13 PM

Posted 19 July 2021 - 04:12 PM

Hello, andgx

Hello, thomascnk

 

Put the 'BlackByte_restoremyfiles.hta' file in the archive with the password 'note123' and attach it to the forum message.

 

Some antiviruses, cloud services and forum protection can delete the hta file as dangerous. 

Therefore, it must be archived with a password.

 

You can also transfer the file through a sharing site, For example, this https://dropmefiles.com/

Just drag the file to the site, do not enter any addresses or contacts. 


Edited by Amigo-A, 20 July 2021 - 06:44 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:USA
  • Local time:12:13 PM

Posted 19 July 2021 - 05:43 PM

Likely new, only seeing two IPs submitted to ID Ransomware so far. Need the malware executable to analyze.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#6 Byzt

Byzt

  • Avatar image
  • Members
  • 106 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:08:13 PM

Posted 03 August 2021 - 04:38 PM

do u have sql files , virtual image files or compressed files to needed?


#7 MyoMyintHtike

MyoMyintHtike

  • Avatar image
  • Members
  • 3 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Myanmar
  • Local time:12:43 AM

Posted 18 September 2021 - 09:22 AM

Likely new, only seeing two IPs submitted to ID Ransomware so far. Need the malware executable to analyze.

Malware maybe the script file (obamka.js), run with the help of wscript.exe. It has self destroyed function and run as scheduled task.

 I uploaded the sample encrypted file and ransom note.

https://www.mediafire.com/file/gmccf0gard6yhzr/BlackByte.rar/file

Attached Files


Edited by MyoMyintHtike, 18 September 2021 - 09:33 AM.

#8 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,058 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:11:13 PM

Posted 19 September 2021 - 04:10 AM

Hello MyoMyintHtike!
 
Many Thanks!
 
After opening the article describing this BlackByte Ransomware, we did not have the full text of the note. Probably the topic starter could not copy the text and could not send me the note file.
 
You did it. Honor and Praise to you!

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#9 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,058 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:11:13 PM

Posted 19 September 2021 - 04:29 AM

Dear MyoMyintHtike

 

If you have the opportunity to upload files from the screenshot (highlighted with a red line), then put them in an archive with a password (your login on the forum) and give me a link to PM using the exchange site.


Edited by Amigo-A, 19 September 2021 - 04:33 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#10 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 61,960 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 PM

Posted 19 September 2021 - 08:41 AM

Topic title changed to reflect naming convention and direct other victims to this support topic.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 MyoMyintHtike

MyoMyintHtike

  • Avatar image
  • Members
  • 3 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Myanmar
  • Local time:12:43 AM

Posted 20 September 2021 - 01:31 AM

Dear MyoMyintHtike

 

If you have the opportunity to upload files from the screenshot (highlighted with a red line), then put them in an archive with a password (your login on the forum) and give me a link to PM using the exchange site.

 

Threat actors deleted obamka.js file in all servers.

Fortunately, I got obamka.js file from one AD Server.

I uploaded and sent to you. Please check PM. (In attachment file, the autorun file (.arn) already included)


#12 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,058 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:11:13 PM

Posted 20 September 2021 - 09:51 AM

I downloaded it, thanks.

JS loader is unfortunately not supported. Need to use a real PC online.


My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

#13 mgoeben

mgoeben

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:08:13 PM

Posted 20 September 2021 - 10:02 AM

Hi!

 

From a computer that was encrypted by BlackByte I got an "1709.exe" with an icon of Mr.Death, is that something that will help you to investigate this ransomware?

 

Also on this Computer I can see a lot of processes "wordpad.exe /p c:\bb.dll" all startet by an invisible cms process.

 

There is one additional thing that makes me wonder, there are a lot of large files encrypted within the same minute on an slow attached NAS, so that is looks as there were only some bytes written to the beginning, or the end of the file, is that possible

 

Regards


#14 Darksupport

Darksupport

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:01:13 PM

Posted 20 September 2021 - 11:11 PM

Hi
 
I'm trying to get services of a company where he was attacked by blackbyte, let me know how I can help you sample up or run any application to find any trace of the attack.
 
regards

#15 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  • Avatar image
  • Members
  • 3,058 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:11:13 PM

Posted 21 September 2021 - 04:46 AM

is that possible

 

Yes, it is possible. It will be nice if a lot of files are not encrypted or damaged.

 

Upload the '1709.exe' and one 'wordpad.exe' files to the sites and give us a link to the results here.
https://www.virustotal.com/gui/  (registration is not needed, but I will not be able to download the file)
https://tria.ge/submit  (you need to register, and I can download the file.)

Edited by Amigo-A, 21 September 2021 - 04:50 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 

Back to Ransomware Help & Tech Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Ransomware Help & Tech Support
  4. Privacy Policy
  5. Rules ·