Free Phone Consultation For New Clients | CONTACT NOW

Climbing Mount Everest: Black-Byte Bytes Back?

Earlier reports have linked Everest ransomware as part of the Everbe 2.0 family, which is composed of Embrace, PainLocker, EvilLocker and Hyena Locker ransomware. However, after recovering and analysing an Everest ransomware file, it has been assessed with medium confidence that Everest ransomware is related to Black-Byte.

Everest ransomware has been designed with a compilation timestamp of 20 February 2013. The malware dropper is compiled with Microsoft Visual Studio 2010 and doesn't contain any debug artifacts in the code. This is unusual for Black-Byte variants which usually have a compilation timestamp of 2009 or earlier.

The encryption algorithm used by Everest ransomware appears to be based on the Rijndael cipher, as seen in Black-Byte versions before 2012, but seems to have been modified. No public RSA key exists that can be linked to Everest ransomware at this stage and it is thus unknown how these keys are generated by the malware authors.

This is the first report of an Everest variant. The only other reported instance of Black-Byte was a version with the filename BEBY_BRK or BEBY2. In 2013, a variant called BEBLAC was found on an infected machine in Germany, but this variant is believed to be related to another family of ransomware called "BEBLAC".

Source: Climbing Mount Everest: Black-Byte Bytes Back? – NCC Group Research

Need secure managed IT services in the Greenville, SC, area?