VERY IMPORTANT

During a recent malware incident response case, Trustwaves encountered an interesting piece of ransomware that goes by the name of BlackByte. Trustwaves thought that this ransomware was not only interesting but also quite odd: Same as other notorious ransomware variants like REvil, BlackByte also avoids systems with Russian and ex-USSR languages. It has a worm functionality similar to RYUK ransomware. It creates a wake-on-LAN magic packet and sends it to the target host - making sure they are alive when infecting them. The author hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension. The author lets the program crash if it fails to download the encryption key. The RSA public key embedded in the body is only used once, to encrypt the raw key to display in the ransom note – that’s it. The ransomware uses only one symmetric key to encrypt the files.