Security News > 2022 > October > BlackByte Ransomware Picks Up Where Conti and Sodinokibi Left Off
Symantec refers to both the BlackByte group and the BlackByte ransomware by the same name.
Following the departure of a number of major ransomware operations such as Conti and Sodinokibi, BlackByte has emerged as one of the ransomware actors to profit from this gap in the market.
The fact that actors are now creating custom tools for use in BlackByte ransomware attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.
In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks.
Symantec also observed attackers using the publicly available reconnaissance and query tools AdFind, AnyDesk, NetScan and PowerView prior to deploying the ransomware payload. "Identifying and enumerating these tools matters because their use represents an early stage warning sign that a ransomware attack is in preparation," said O'Brien.
Recent attacks have used version 2.0 of the BlackByte payload. On execution, the ransomware payload itself appears to download and save debugging symbols from Microsoft.