Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Analysis of BlackByte Ransomware’s Go-Based Variants

May 2022 by Zscaler

Zscaler has released a new blog titled Analysis of BlackByte Ransomware’s Go-Based Variants, which explores two variants of the Go-based implementation of BlackByte ransomware.

BlackByte is a Ransomware-as-a-Service (RaaS) group which has been targeting corporations worldwide since July 2021. More recently, the authors redeveloped the ransomware using the Go programming language. The BlackByte Go variant was used in attacks described in an FBI advisory that warned BlackByte had compromised numerous businesses, including entities in US critical infrastructure sectors

They key points include:

• BlackByte is a full-featured ransomware family that first emerged around July 2021
• The ransomware was originally written in C# and later redeveloped in the Go programming language around September 2021
• The threat group exfiltrates data prior to deploying ransomware and leaks the stolen information if a ransom is not paid
• The group has demanded multi-million dollar ransoms from some victims
• BlackByte ransomware employs various anti-analysis techniques including a multitude of dynamic string obfuscation algorithms
• In early versions of the ransomware, file encryption utilized a hardcoded 1,024-bit RSA public key along with a 128-bit AES key that was derived from a file retrieved from a command and control server
• More recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC) for asymmetric encryption and ChaCha20 for symmetric file encryption

See previous articles


See next articles