GitHub Repo

Analytics Story: BlackByte Ransomware

Updated Date: 2026-05-13 ID: b18259ac-0746-45d7-bd1f-81d65274a80b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.

Why it matters

BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious MSBuild Rename Rename Legitimate Utilities, MSBuild Hunting
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Anomalous usage of 7zip Archive via Utility Anomaly
Windows Suspicious Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Allow File And Printing Sharing In Firewall Cloud Firewall TTP
Suspicious msbuild path Rename Legitimate Utilities, MSBuild TTP
Ping Sleep Batch Command Time Based Checks Anomaly
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Set Account Password Policy To Unlimited Via Net Service Stop Anomaly
Detect Renamed PSExec Service Execution Hunting
Windows Modify Registry EnableLinkedConnections Modify Registry TTP
Suspicious Rundll32 StartW Rundll32 TTP
Windows Modify Registry LongPathsEnabled Modify Registry Anomaly
Windows Suspicious Driver Loaded Path Windows Service TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
DLLHost with no Command Line Arguments with Network Process Injection TTP
Web or Application Server Spawning a Shell External Remote Services, Exploit Public-Facing Application TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Windows MSExchange Management Mailbox Cmdlet Usage PowerShell Anomaly
Allow Network Discovery In Firewall Cloud Firewall TTP
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
Suspicious microsoft workflow compiler rename Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution Hunting
Exchange PowerShell Module Usage PowerShell TTP
Exchange PowerShell Abuse via SSRF External Remote Services, Exploit Public-Facing Application TTP
Windows Suspicious C2 Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Windows Remote Image Load Command and Scripting Interpreter, Exploitation for Privilege Escalation, Shared Modules, Exploitation for Client Execution Anomaly
Suspicious DLLHost no Command Line Arguments Process Injection TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Exchange Autodiscover SSRF Abuse External Remote Services, Exploit Public-Facing Application TTP
Disabling Firewall with Netsh Disable or Modify Tools Anomaly
CMD Echo Pipe - Escalation Windows Command Shell, Windows Service TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Windows PUA Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Windows Excessive Service Stop Attempt Service Stop TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows Suspicious Child Process Spawned From WebServer Web Shell Anomaly
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Rundll32 with no Command Line Arguments with Network Rundll32 TTP
GPUpdate with no Command Line Arguments with Network Process Injection TTP
Windows Vulnerable Driver Loaded Windows Service Hunting
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Windows RDP Connection Successful RDP Hijacking Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log RemoteConnectionManager 1149 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

References

Source: GitHub | Version: 2