RTF/BlackByte.DC56!tr.ransom

description-logoAnalysis

RTF/BlackByte.DC56!tr.ransom is a generic detection for a Ransomware notes created by BlackByte Ransomware trojan.
Since this is a generic detection, malware that are detected as RTF/BlackByte.DC56!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is associated with BlackByte ransomware. This ransomware can attempt to encrypt a user's data and append ".blackbyte" to the file extension name. A ransom note, containing instructions to retrieve the user's data, is usually dropped in the directories that contain the encrypted files, and as another side effects it may print out secondary ransom notes to any printers connected within the infected network.

  • This malware has been associated with the following third party article/advisory.
  • https://www.ic3.gov/Media/News/2022/220211.pdf
    
    The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.

  • Below is a picture of the ransom note:

    • Figure 1: Print bombing ransom note.


  • Following are some of the exact IOCs/file hash associated with this detection:
    • Md5: 9344afc63753cd5e2ee0ff9aed43dc56
      Sha256: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
    • Md5: e2eb5b57a8765856be897b4f6dadca18
      Sha256: 91f8592c7e8a3091273f0ccbfe34b2586c5998f7de63130050cb8ed36b4eec3e

  • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    FortiClient
    FortiAPS
    FortiAPU
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2022-05-31 90.02802
    2022-05-25 90.02622
    2022-02-16 89.09690