Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Sigma rule (View on GitHub)
1title: Blackbyte Ransomware Registry
2id: 83314318-052a-4c90-a1ad-660ece38d276
3status: test
4description: |
5 Detects specific windows registry modifications made by BlackByte ransomware variants.
6 BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
7 This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
8references:
9 - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
10 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
11author: frack113
12date: 2022-01-24
13modified: 2025-10-21
14tags:
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.t1112
18 - detection.emerging-threats
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject:
25 - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy'
26 - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections'
27 - 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled'
28 Details: 'DWORD (0x00000001)'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
-
BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.
Read More -
During a recent malware incident response case, we encountered an interesting piece of ransomware that goes by the name of BlackByte.
Read More
Related rules
- Blue Mockingbird
- FlowCloud Registry Markers
- OceanLotus Registry Activity
- OilRig APT Activity
- OilRig APT Registry Persistence