SentinelOne Vs. BlackByte – Kill and Quarantine

Watch how SentinelOne kills and quarantines BlackByte. BlackByte’s highly-obfuscated JS Loader is delivered via multiple methods (watering hole, exploit kit, other malware/frameworks). The obfuscated JavaScript is typically used to prep the victim for further activity (ex: facilitating the modification of firewall rules for exfiltration) as well as receiving/decoding the main payload (encryptor) for execution. The JS Loader modifies various services and system components that may inhibit the encryption process. This includes the disabling of VSS / Volume Shadow Copies as well as disabling MSQL services.

The Loader also targets the Raccine security product specifically, attempting to shut down or circumvent components of that product. BlackByte ransomware started gaining greater visibility in August of 2021, with the unveiling of their victim “data auction”/blog site.