Ransomware Report

You can check the latest ransomware information.

title
Analysis of BlackBit, a ransomware encrypted with BlackBit
Registration date
2022-11-01
views
16143

[BlackBit ransomware]

[Virus/Malware Activity Report: BlackBit Ransomware]

Due to a breach believed to be in the form of BlackBit ransomware,
we would like to confirm the situation and provide a warning as follows.

BlackBit Ransomware

The ransomware in question is called BlackBit and appears to be changing all files with the extension [GreenMonkey@onionmail.org][private key]existing name.existing extension.BlackBit.

How it works

file version


[Figure 1 File version]


[Figure 2 File properties]

behavioral process

  • Registering startup programs in the registry and executing specific commands

    Copy and register the ransomware executable file copied to the registry of the startup program registry and then run the Bat file with the command to disable the task manager.


    [Figure 3 Startup program registry registration]


    [Figure 4 Execution of specific command]

  • Schedule with Task Scheduler

    Copy the ransomware body to %Appdata%Roaming and register it to run in Task Scheduler.


    [Figure 5 Reservation in Task Scheduler]
    [Figure 6 Reservation in Task Scheduler]
    [Figure 7 Reservation in Task Scheduler]

  • Turn off Windows Firewall

    To neutralize security, turn off the 'Windows Firewall' function.


    [Figure 8 Disable Windows Firewall]

  • Turn off Windows Recovery

    Deletes Windows' own recovery function and shadow copies to make recovery difficult.


    [Figure 9 Disabling Windows recovery function]
    [Figure 10 Disabling Windows recovery function]

  • Turn off Windows Defender feature

    To neutralize security, disable all Windows Defender functions.


    [Figure 11 Disabling Windows Defender function]

Infection results

Ransomware operates in the initial startup location and also operates in the <%AppdataRoaming (registering task schedule and copying executable file)> and <registering startup program registry and copying executable file> locations in case encryption is not performed. During encryption, files are changed to <[GreenMonkey@onionmail.org][private key]existing name.existing extension.BlackBit>.


[Figure 12 Infection result 1]


[Figure 13 Infection result 2]


[Figure 14 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.


[Figure 15 Block message]


[Figure 16 Block message]
[Figure 17 Block message]

Watch the BlackBit blocking video

Previous post
Analysis of malicious ransomware key group [KeyGroup] using encryption algorithm
next post
Analysis of ransomware [Eternity], which infects by exploiting operating system and program vulnerabilities
List
WhiteDefender Term of Use|Privacy Policy
Everyzone White Defender Co., Ltd. | CEO: Seunggyun Hong|Business registration number: 220-81-67981
Copyright ⓒEveryzone , Inc. All Rights Reserved.|