BlackByte is a financially motivated ransomware operation known for double-extortion activity involving both data theft and file encryption. The group is widely tracked as a ransomware gang rather than a state-sponsored actor. It has operated multiple ransomware variants, including earlier C#-based builds and later versions such as BlackByte NT, and has shown the ability to revise its tooling and encryption workflow over time. BlackByte has targeted enterprise environments and conducted post-compromise operations consistent with human-operated ransomware intrusions. Observed tradecraft includes use of compromised legitimate accounts, Remote Desktop Protocol for lateral movement, deployment of commercial or commonly abused remote administration tools for persistence and access, and use of Cobalt Strike as a primary command-and-control mechanism. The group has also been associated with credential access activity such as dumping LSASS memory and collecting Active Directory database material, followed by network discovery and identification of additional systems for expansion within victim environments. Operational behavior attributed to BlackByte includes extensive use of living-off-the-land and native Windows functionality. BlackByte NT has been reported using Windows commands for anti-debugging-related behavior and self-deletion, and technical analysis has noted anti-analysis checks involving the Process Environment Block BeingDebugged flag as well as dynamic resolution of functions from core Windows libraries. The group’s broader intrusion patterns align with common ransomware TTPs such as command and scripting interpreter usage, system information discovery, defense evasion, ingress tool transfer, scheduled task or service-based persistence, and credential dumping. BlackByte has also been linked in some reporting to activity labeled as Everest ransomware. In at least one investigated intrusion, responders assessed with medium confidence that an Everest-attributed sample was related to BlackByte, based on malware analysis indicating a BlackByte lineage despite branding differences. That reporting also noted uncertainty as to whether this reflected code reuse by another actor or renewed use of an older BlackByte codebase. Because of that uncertainty, Everest should be treated as a possible related cluster or rebrand rather than a definitively established alias. Known aliases include Black-Byte and Black Byte. Security professionals most commonly refer to the group as BlackByte.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
3 malware families attributed to this actor across reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BlackByte Ransomware Gang is known for ransomware attacks, using anti-debugging, system information discovery, and advanced process techniques to evade detection and encrypt files.
Referenced as the likely codebase/family attribution for the recovered 'Everest' ransomware sample (C# variant), suggesting either code reuse by another actor or Black-Byte reusing an older variant; no distinct intrusion details beyond this linkage are provided.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.