BlackByte

BlackByte, also known as BlackByte 2.0, operates as a ransomware group headquartered in the United Kingdom. The group's core activity involves deploying ransomware to compromise victim systems, encrypting data, and demanding payment for decryption keys. A significant aspect of their operation is the theft of sensitive data prior to encryption, which they leverage for extortion. BlackByte utilizes a dedicated Tor-based data leak site to publish stolen information from victims who refuse to pay, directly threatening organizations with public exposure of their confidential data. Their primary market appears to be organizations possessing valuable or sensitive information susceptible to extortion pressure, though specific industry targeting beyond this general approach is not detailed in the provided source.

A distinguishing feature of BlackByte 2.0's operation, observed during their reemergence in August 2022, is the adoption of sophisticated extortion tactics modeled after the LockBit ransomware gang. The group actively promoted their data leak site through hacker forums and controlled social media accounts, specifically Twitter. They offered victims multiple payment options beyond simple decryption, including paying to delay the publication of stolen data, paying to download the stolen information themselves, or paying to have the stolen data destroyed entirely. Pricing for these services was reportedly scaled based on the victim organization's size. However, cybersecurity analysts noted that technical flaws in embedding cryptocurrency payment addresses rendered these advanced payment features non-functional at that time. Analysts assessed that while BlackByte aimed to monetize stolen data through direct victim payments or sales to third parties, their approach largely mirrored LockBit's strategies which were often seen as more symbolic than providing genuine practical enhancements to the extortion process.