Blackbit Ransomware

BlackBit Ransomware: A Threat from the Shadows of LokiLocker

The Increasing Menace of Small Ransomware Syndicates

In recent years, ransomware operations have emerged as highly profitable cybercrime schemes. Numerous companies have suffered immense financial, data, and reputation losses due to such attacks. Typically, cybersecurity researchers tend to concentrate on prominent ransomware groups that run extensive Ransomware-as-a-Service (RaaS) operations. These groups usually comprise highly skilled developers and cybercriminals, sometimes even receiving backing from state-sponsored entities.

The abundance of technical information on ransomware operations has led to the emergence of new players in this space. Despite lacking a data leak blog or engaging in high volumes of activities, these groups are developing their toolkits and evolving their tactics to target larger organizations without much attention from cybersecurity experts.

Cyble Research and Intelligence Lab (CRIL) noticed one such variant of ransomware, BlackBit. In September 2022, BlackBit ransomware was first discovered. The absence of any leak site activity implies that the ransomware is not currently extracting data from victim systems. We suspect that it may still be in its early stages of operation.

AhnLab recently published an article indicating that this particular ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that works on the RaaS model. The source code of the BlackBit indicates the ransomware is a copy of the LokiLocker with some cosmetic changes such as icons, name, color scheme, etc.

BlackBit ransomware is a sophisticated strain with several capabilities to establish persistence, defense evasion, and impair recovery. Additionally, it incorporates three distinct methods for presenting payment information to the victim. The methods include dropping ransom notes, displaying pop-ups when the victim tries to open encrypted files, and presenting an HTA page via mshta.exe.

Technical Details

The ransomware binary we analyzed is a 32-bit executable built using a .NET compiler and protected with .NET Reactor. The file is named “svchost.exe” and has a SHA256 hash of 1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f. In addition to being packed, the ransomware employs virtual functions and multithreading techniques to complicate analysis.

More information on the BlackBit Ransomware file is provided in the figure below.

Figure 1 – Static Details of the BlackBit Ransomware Executable

Kill Switch

When the ransomware is executed, it first checks the keyboard layout of the victim’s system using a killswitch. If the system language is determined to be Persian, the ransomware terminates itself. However, if the language is not Persian, the ransomware proceeds with further operations. The figure below shows the ransomware is comparing the system language with “Persian”.

Figure 2 – BlackBit Ransomware KillSwitch


Once the ransomware has identified a system to infect, it creates a mutex object and locks it to ensure that only one instance of the ransomware is running at any given time. This helps to prevent conflicts between multiple instances of ransomware and ensures that the ransomware is executed in a controlled and predictable manner.

The figure below shows the ransomware successfully Locking mutex.

Figure 3 – BlackBit Locking the Mutex


Subsequently, the ransomware establishes persistence on the infected system by copying itself to various locations. Specifically, it drops a copy of itself in the “C:\ProgramData\” and “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folders and renames itself as “winlogon.exe”. This ensures that the ransomware is executed automatically when the system starts, or the user logs in. The figure below shows that the ransomware drops itself into the startup folder.

Figure 4 – BlackBit Creating Startup Entry

After establishing the startup entry, it copies itself within the “C:\Users<user>\AppData\Roaming” folder, disguised as “winlogon.exe”. The ransomware is dropped as a hidden file to conceal its presence, making it invisible to victims. Subsequently, it creates a Task Scheduler entry for the “winlogon.exe” file using the command:

  • schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users<user>\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F

This entry ensures that the ransomware executes each time a user logs into the system.

The below figure shows the Task Scheduler entry created by the BlackBit Ransomware.

Figure 5 – BlackBit Creating Task Scheduler Entry

Impairing Data Recovery

After this, it executes specific commands via cmd.exe to remove all backups from the infected system. BlackBit uses multithreading to execute individual commands to impair recovery, such as deleting shadow copies and system backup. Ransomware also disables recovery mode in the system.

The ransomware uses the following commands to disable data backup:

  • “C:\Windows\System32\cmd.exe” /C vssadmin delete shadows /all /quiet
  • “C:\Windows\System32\cmd.exe” /C wbadmin DELETE SYSTEMSTATEBACKUP
  • “C:\Windows\System32\cmd.exe” /C wmic shadowcopy delete
  • “C:\Windows\System32\cmd.exe” /C wbadmin delete catalog -quiet
  • “C:\Windows\System32\cmd.exe” /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • “C:\Windows\System32\cmd.exe” /C bcdedit /set {default} recoveryenabled no

Disabling Windows Defender and Firewalls

Following the removal of all backups and recovery, the ransomware proceeds to disable windows defender and the system’s firewall. This is achieved by executing a set of commands through a batch file using cmd.exe. Initially, the ransomware employs the following commands to disable Windows Defender:

  • “C:\Windows\System32\cmd.exe” /C netsh advfirewall set currentprofile state off
  • Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring: 0x00000001
  • Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection: 0x00000001
  • Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
  • Set registry value: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware: 0x00000001

After disabling Windows Defender, the ransomware disables the firewall

  • “C:\Windows\System32\cmd.exe” /C netsh firewall set opmode mode=disable

The figure below shows the BlackBit Code to disable the Windows Defender.

Figure 6 – BlackBit Disabling Windows Defender

Disabling Task Manager

Additionally, BlackBit ransomware also disables the Task Manager to prevent monitoring of system processes and activities. It achieves this by dropping a batch file named “wvtymcow.bat” with a SHA256 hash of 708511c356493e41ca103db51b8df3fb57898ddb2bb7cf4f11560facde9425ed in the startup folder located at “C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”.

The batch file contains a single command, “REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f”.

The dropped file and the contents of the batch file are shown in the figure below.

Figure 7 – BlackBit Disabling Task Manager in the System

Terminating Processes and Services

While disabling the security software, the ransomware also terminates several processes and stops specific services to ensure effective encryption of the victim’s files. The below table shows the processes targeted by the ransomware.


The ransomware also stops following services.


Staging for encryption

Ransomware creates a registry key HKEY_CURRENT_USER\SOFTWARE\BlackBit, which contains full encryption keys, a public key, and a timer to delete the data, as shown below.

Figure 8 – BlackBit Creating Registry Entry to Store Keys

After creating the registry key, the ransomware drops Cpriv.KTBR at “C:\ProgramData”, which contains the full key in Base64 format. Ransomware also warns not to delete the file as it will result in complete data loss.


Now the BlackBit ransomware proceeds with file encryption. The ransomware encrypts files excluding the extensions .exe, .dll, and .sys, to prevent permanent damage to the system. After encryption, the ransomware renames the filename in the following format.

  • [] [Unique System ID]Actual -FileName.BlackBit

The below figure shows the encrypted files and their extensions.

Figure 9 – Files Encrypted by BlackBit Ransomware

Ransom Note

During the encryption process, BlackBit drops a ransom note named “Restore-My-Files.txt” that contains instructions for the victim to connect with the ransomware operators and includes the system ID for identification.

The figure below displays the ransom note dropped by BlackBit.

Figure 10 – Ransom Note Dropped By BlackBit

In addition to dropping the ransom note, the ransomware also creates the following registry entry :

  • Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BlackBit\OpenWithList

The figure below shows the registry entry for the dujwyavn.exe.

Figure 11 – Registry Entry for BlackBit Extension

This registry ensures that whenever victims try to open a file with a .BlackBit extension, the dujwyavn.exe executes automatically. The file dujwyavn.exe is dropped at C:\ProgramData as a hidden file that pops up a ransom window when the victim tries to open encrypted files.

The figure below shows the pop-up window.

Figure 12 – BlackBit Pop-up Window

When the victim clicks on the OK button, it again opens an HTA file using mshta.exe.

The figure below shows the code for dujwyavn.exe.

Figure 13 – BlackBit Code to execute the Ransom note

The figure below shows the contents of the ransom note shown by mshta.exe.

Figure 14 – Ransom Note shown using mshta.exe

Some interesting behavior observed in this ransomware variant is that it continues to monitor the victim’s system even after encrypting their files, waiting for any new files to be created that can be encrypted. This means that if the victim creates new files or modifies existing ones, the ransomware will immediately encrypt them, adding the “.BlackBit” extension to their filename and locking the victim out of their data. This behavior allows the attackers to maximize the impact of their attack.


BlackBit Ransomware is a dangerous ransomware variant equipped with numerous malicious features. Although the full extent of its impact is not yet clear, our analysis suggests that BlackBit is a variant of LokiLocker ransomware. Ransomware such as BlackBit is on the rise, and we will continue to see more such ransomware in the future.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
  • Refrain from opening untrusted links and email attachments without verifying their authenticity

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network
  • Disconnect external storage devices if connected
  • Inspect system logs for suspicious events

Impact of BlackBit Ransomware

  • Loss of Valuable data
  • Loss of the organization’s reputation and integrity
  • Loss of the organization’s sensitive business information
  • Disruption in organization operation
  • Financial loss

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Command and Scripting Interpreter
User Execution
Windows Management Instrumentation
Defense EvasionT1564
Hidden Window
Delete shadow drive data
System Information Discovery 
File and Directory Discovery
Process Discovery
Data encrypted for impact
Inhibit System Recovery

Indicators of Compromise (IOCs)

Indicators Indicator  
9d898e39591f9a8b49fa27841acb7392 e9b35995bf772cd11be13bc5c9ac93c846f00405 b8ffd72534056ea89bfd48cbe6efb0b4d627a6284a7b763fdb7dfd070c1049baMD5
d37b49b0a53fd07895ca4dc956cbc459 2f052cc3e64870b8ac28efb2d79bc2b16dff3e8e 43c6aef23a90c742274d6db2148a5cb5027c82e94ba2db4ae4b4184956e370b5MD5
8ead445620033ecee6c426cfbeac214b b04ccaa781be7521d50faa36db269f71ac56af58 cd29a952a51204f2e8744271b822c277b63ad8a54e3a6422e342eb9c53df0bdaMD5

Comments are closed.

Scroll to Top