GitHub Repo

Analytics Story: BlackByte Ransomware

Updated Date: 2026-05-13 ID: b18259ac-0746-45d7-bd1f-81d65274a80b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.

Why it matters

BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Echo Pipe - Escalation Windows Command Shell, Windows Service TTP
Anomalous usage of 7zip Archive via Utility Anomaly
Windows Suspicious C2 Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Disabling Firewall with Netsh Disable or Modify Tools Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Modify Registry EnableLinkedConnections Modify Registry TTP
Windows Exchange Autodiscover SSRF Abuse External Remote Services, Exploit Public-Facing Application TTP
Windows Suspicious Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Suspicious msbuild path Rename Legitimate Utilities, MSBuild TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
Ping Sleep Batch Command Time Based Checks Anomaly
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
Detect Renamed PSExec Service Execution Hunting
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Windows PUA Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Suspicious Rundll32 StartW Rundll32 TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Exchange PowerShell Abuse via SSRF External Remote Services, Exploit Public-Facing Application TTP
Windows Remote Image Load Command and Scripting Interpreter, Exploitation for Privilege Escalation, Shared Modules, Exploitation for Client Execution Anomaly
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Suspicious microsoft workflow compiler rename Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution Hunting
Windows MSExchange Management Mailbox Cmdlet Usage PowerShell Anomaly
Resize ShadowStorage volume Inhibit System Recovery TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
Windows Excessive Service Stop Attempt Service Stop TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Suspicious Child Process Spawned From WebServer Web Shell Anomaly
Allow Network Discovery In Firewall Cloud Firewall TTP
Suspicious MSBuild Rename Rename Legitimate Utilities, MSBuild Hunting
DLLHost with no Command Line Arguments with Network Process Injection TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Allow File And Printing Sharing In Firewall Cloud Firewall TTP
Web or Application Server Spawning a Shell External Remote Services, Exploit Public-Facing Application TTP
Windows Suspicious Driver Loaded Path Windows Service TTP
Windows RDP Connection Successful RDP Hijacking Hunting
Windows Vulnerable Driver Loaded Windows Service Hunting
High Process Termination Frequency Data Encrypted for Impact Anomaly
Exchange PowerShell Module Usage PowerShell TTP
Windows Set Account Password Policy To Unlimited Via Net Service Stop Anomaly
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Modify Registry LongPathsEnabled Modify Registry Anomaly
Rundll32 with no Command Line Arguments with Network Rundll32 TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational
Sysmon EventID 26 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log RemoteConnectionManager 1149 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System

References

Source: GitHub | Version: 2