Menu
Browse

Cyber Threat Actor: BlackByte

Actor Type Location Known Incidents
 Icon
Criminal
3 incidents
Profile

The BlackByte ransomware group, also known as BlackByte, operates as a financially motivated cybercriminal entity targeting organizations across multiple sectors and regions. Publicly reported incidents demonstrate their focus on education, government, healthcare, manufacturing, legal services, and critical infrastructure, with victims spanning Latin America (Argentina, Peru, Chile, Mexico), the United States, and Europe. Their operations consistently follow a double extortion model—exfiltrating sensitive data before encrypting victim systems—and leverage dedicated leak sites to pressure organizations into paying ransoms. Financial demands vary significantly, ranging from $150,000 for La Piamontesa in 2022 to $400,000 for the City of Augusta in 2023, with additional tiered options allowing third-party data purchases or deletion extensions.

Technical reporting indicates BlackByte exploits network vulnerabilities for initial access, employs custom ransomware variants, and has adapted its tooling over time. Early versions contained cryptographic flaws enabling free decryption, but subsequent iterations like BlackByte 2.0 introduced refined extortion techniques and evasion methods, including bring your own vulnerable driver (BYOVD) attacks to disable security software. The group has conducted high-impact attacks against prominent targets such as the NFL's San Francisco 49ers in 2022—disrupting corporate IT systems before Super Bowl weekend—and the City of Augusta, where threat actors leaked payroll records, contracts, and budget documents. Healthcare providers like Vermont's Lamoille Health Partners and Pennsylvania's Gateway Rehab faced significant data exposure, including patient treatment records and employee information. BlackByte maintains no publicly confirmed state affiliations and operates exclusively for criminal profit, with FBI advisories linking them to critical infrastructure breaches. Their persistent regional targeting of Latin American educational institutions, including Peru's Universidad Nacional De Educacion and Colombia's Universidad Piloto, underscores operational consistency despite victim recovery efforts and law enforcement scrutiny.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
12 sources