Security Experts:

Connect with us

Hi, what are you looking for?



Free Decryptor Released for BlackByte Ransomware

Trustwave’s SpiderLabs security researchers have released a free decryptor that victims of the BlackByte ransomware can use to restore their files.

Trustwave’s SpiderLabs security researchers have released a free decryptor that victims of the BlackByte ransomware can use to restore their files.

BlackByte uses a raw key and the Advanced Encryption Standard (AES) to encrypt a victim’s files, meaning that anyone in the possession of the raw key would be able to decrypt the data.

The ransomware fetches a .PNG file that contains multiple keys, which Trustwave researchers used to create the decryptor. The free tool is available on GitHub.

Analysis of the malware also revealed that it avoids infecting systems with Russian and ex-USSR languages, that it has worm-like capabilities, and it crashes if the encryption key download fails.

BlackByte was observed preparing the target system before starting the encryption, to make sure that the process isn’t interrupted. It also checks the system language to make sure it doesn’t hit victims in specific geographies.

The malware ensures that the system won’t go to sleep during encryption, and then removes specific applications that can prevent encryption. It also kills processes that might interfere with the operation and, if it finds the Raccine anti-ransomware utility, it uninstalls it from the system.

Furthermore, BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, enables the SMB1 protocol, and grants full access to target drives to anyone.

The malware is also able to enumerate hostnames in the domain from Active Directory, pings the identified ones to ensure they are alive, and then attempts to copy and execute itself on the hosts, Trustwave says.

The ransom note dropped by the malware suggests that the attackers have also stolen data from the victim, but the researchers determined that it does not have any exfiltration functionality. “So this claim is probably designed to scare their victims into complying,” the researchers explain.

Related: Attackers Encrypt VMware ESXi Server With Python Ransomware

Related: Israeli Hospital Targeted in Ransomware Attack

Related: Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...