securityboulevard.com
Open in
urlscan Pro
2606:4700:10::6816:39c
Public Scan
URL:
https://securityboulevard.com/2022/05/analysis-of-blackbyte-ransomwares-go-based-variants/
Submission: On September 10 via api from IN — Scanned from DE
Submission: On September 10 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://securityboulevard.com/
<form action="https://securityboulevard.com/" class="search-form searchform clearfix" method="get">
<div class="search-wrap">
<input type="text" placeholder="Search" class="s field" name="s">
<button class="search-icon" type="submit"></button>
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1628905/4b9a2bbd-665c-447b-81df-233280dc689e
<form id="hsForm_4b9a2bbd-665c-447b-81df-233280dc689e" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1628905/4b9a2bbd-665c-447b-81df-233280dc689e"
class="hs-form-private hsForm_4b9a2bbd-665c-447b-81df-233280dc689e hs-form-4b9a2bbd-665c-447b-81df-233280dc689e hs-form-4b9a2bbd-665c-447b-81df-233280dc689e_719f865c-8100-4b2a-9d27-bacddb174183 hs-form stacked"
target="target_iframe_4b9a2bbd-665c-447b-81df-233280dc689e" data-instance-id="719f865c-8100-4b2a-9d27-bacddb174183" data-form-id="4b9a2bbd-665c-447b-81df-233280dc689e" data-portal-id="1628905"
data-test-id="hsForm_4b9a2bbd-665c-447b-81df-233280dc689e">
<div>
<div class="hs-richtext hs-main-font-element">
<p style="color: #fff;">Get breaking news, free eBooks and upcoming events delivered to your inbox.</p>
</div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-4b9a2bbd-665c-447b-81df-233280dc689e" class="" placeholder="Enter your " for="email-4b9a2bbd-665c-447b-81df-233280dc689e"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-4b9a2bbd-665c-447b-81df-233280dc689e" name="email" required="" placeholder="Enter your email address*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div>
<div class="hs-richtext hs-main-font-element">
<div style="text-align: center;"><a href="https://securityboulevard.com/privacy-policy/" style="color: #fff; font-size: 12px;">View Security Boulevard <u>Privacy Policy</u></a></div>
</div>
</div>
<div>
<div class="hs-richtext hs-main-font-element">
<hr style="border: 1px solid #ccc; width: 100%; margin: 20px auto;">
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe Now"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1725958690812","formDefinitionUpdatedAt":"1724698005169","clonedFromForm":"d967bc1f-2d57-4dcf-861d-5930d7bea674","renderRawHtml":"true","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","pageTitle":"Analysis of BlackByte Ransomware's Go-Based Variants - Security Boulevard","pageUrl":"https://securityboulevard.com/2022/05/analysis-of-blackbyte-ransomwares-go-based-variants/","isHubSpotCmsGeneratedPage":false,"formTarget":"#hbspt-form-719f865c-8100-4b2a-9d27-bacddb174183","rumScriptExecuteTime":2043,"rumTotalRequestTime":2355.800000190735,"rumTotalRenderTime":2501.800000190735,"rumServiceResponseTime":312.80000019073486,"rumFormRenderTime":146,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1725958691177,"originalEmbedContext":{"portalId":"1628905","formId":"4b9a2bbd-665c-447b-81df-233280dc689e","region":"na1","target":"#hbspt-form-719f865c-8100-4b2a-9d27-bacddb174183","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"719f865c-8100-4b2a-9d27-bacddb174183","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5999","sourceName":"forms-embed","sourceVersion":"1.5999","sourceVersionMajor":"1","sourceVersionMinor":"5999","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1725958691028,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Analysis of BlackByte Ransomware's Go-Based Variants - Security Boulevard\",\"pageUrl\":\"https://securityboulevard.com/2022/05/analysis-of-blackbyte-ransomwares-go-based-variants/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1725958691029,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""}]}"><iframe
name="target_iframe_4b9a2bbd-665c-447b-81df-233280dc689e" style="display: none;"></iframe>
</form>POST /2022/05/analysis-of-blackbyte-ransomwares-go-based-variants/#gf_43
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_43" id="gform_43" class="gpoll_enabled gpoll_show_results_link gpoll" action="/2022/05/analysis-of-blackbyte-ransomwares-go-based-variants/#gf_43" data-formid="43"
novalidate="">
<div id="gf_progressbar_wrapper_43" class="gf_progressbar_wrapper" data-start-at-zero="">
<p class="gf_progressbar_title">Step <span class="gf_step_current_page">1</span> of <span class="gf_step_page_count">2</span>
</p>
<div class="gf_progressbar gf_progressbar_blue" aria-hidden="true">
<div class="gf_progressbar_percentage percentbar_blue percentbar_50" style="width: 50%;"><span>50%</span></div>
</div>
</div>
<div class="gform-body gform_body">
<div id="gform_page_43_1" class="gform_page " data-js="page-field-id-1">
<div class="gform_page_fields">
<div id="gform_fields_43" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_16"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-radio gfield--width-full gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_16">
<legend class="gfield_label gform-field-label">Does someone in your organization write software?<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_radio">
<div class="gfield_radio" id="input_43_16">
<div class="gchoice gchoice_43_16_0">
<input class="gfield-choice-input" name="input_16" type="radio" value="gpoll16caacbe4a" id="choice_43_16_0" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_16_0" id="label_43_16_0" class="gform-field-label gform-field-label--type-inline">Yes</label>
</div>
<div class="gchoice gchoice_43_16_1">
<input class="gfield-choice-input" name="input_16" type="radio" value="gpoll1664b4d9cc" id="choice_43_16_1" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_16_1" id="label_43_16_1" class="gform-field-label gform-field-label--type-inline">No</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label">
<input type="button" id="gform_next_button_43_18" class="gform_next_button gform-theme-button button" value="Next"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("2"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("2"); jQuery("#gform_43").trigger("submit",[true]); } ">
</div>
</div>
<div id="gform_page_43_2" class="gform_page" data-js="page-field-id-18" style="display:none;">
<div class="gform_page_fields">
<div id="gform_fields_43_2" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_4"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-radio gfield--width-full gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_4">
<legend class="gfield_label gform-field-label">What portion of your cyber risk is Application Security (AppSec)? (Select one)<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span>
</legend>
<div class="ginput_container ginput_container_radio">
<div class="gfield_radio" id="input_43_4">
<div class="gchoice gchoice_43_4_0">
<input class="gfield-choice-input" name="input_4" type="radio" value="gpoll4faf11bbd" id="choice_43_4_0" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_4_0" id="label_43_4_0" class="gform-field-label gform-field-label--type-inline">We over-focus on AppSec</label>
</div>
<div class="gchoice gchoice_43_4_1">
<input class="gfield-choice-input" name="input_4" type="radio" value="gpoll448578a72" id="choice_43_4_1" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_4_1" id="label_43_4_1" class="gform-field-label gform-field-label--type-inline">We focus on AppSec to match the risk</label>
</div>
<div class="gchoice gchoice_43_4_2">
<input class="gfield-choice-input" name="input_4" type="radio" value="gpoll4192ab952" id="choice_43_4_2" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_4_2" id="label_43_4_2" class="gform-field-label gform-field-label--type-inline">We under-focus on AppSec</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label">
<input type="button" id="gform_previous_button_43_10" class="gform_previous_button gform-theme-button gform-theme-button--secondary button" value="Previous"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("1"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("1"); jQuery("#gform_43").trigger("submit",[true]); } "> <input
type="button" id="gform_next_button_43_10" class="gform_next_button gform-theme-button button" value="Next"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("3"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("3"); jQuery("#gform_43").trigger("submit",[true]); } ">
</div>
</div>
<div id="gform_page_43_3" class="gform_page" data-js="page-field-id-10" style="display:none;">
<div class="gform_page_fields">
<div id="gform_fields_43_3" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_53"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-radio gfield--width-full field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_53">
<legend class="gfield_label gform-field-label">What are the biggest challenges you face implementing a robust AppSec strategy? (Select all that apply)</legend>
<div class="ginput_container ginput_container_radio">
<div class="gfield_radio" id="input_43_53">
<div class="gchoice gchoice_43_53_0">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll5303854668" id="choice_43_53_0" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_0" id="label_43_53_0" class="gform-field-label gform-field-label--type-inline">Lack of budget</label>
</div>
<div class="gchoice gchoice_43_53_1">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll53f06d934f" id="choice_43_53_1" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_1" id="label_43_53_1" class="gform-field-label gform-field-label--type-inline">Insufficient skilled personnel</label>
</div>
<div class="gchoice gchoice_43_53_2">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll533fcf7fc5" id="choice_43_53_2" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_2" id="label_43_53_2" class="gform-field-label gform-field-label--type-inline">Complexity of integrating security into the development lifecycle</label>
</div>
<div class="gchoice gchoice_43_53_3">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll534629eb17" id="choice_43_53_3" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_3" id="label_43_53_3" class="gform-field-label gform-field-label--type-inline">Resistance from development teams</label>
</div>
<div class="gchoice gchoice_43_53_4">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll53759e5dc0" id="choice_43_53_4" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_4" id="label_43_53_4" class="gform-field-label gform-field-label--type-inline">Keeping up with evolving security threats</label>
</div>
<div class="gchoice gchoice_43_53_5">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll539cf87f76" id="choice_43_53_5" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_5" id="label_43_53_5" class="gform-field-label gform-field-label--type-inline">Lack of executive buy-in</label>
</div>
<div class="gchoice gchoice_43_53_6">
<input class="gfield-choice-input" name="input_53" type="radio" value="gpoll5388843091" id="choice_43_53_6" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_6" id="label_43_53_6" class="gform-field-label gform-field-label--type-inline">Other (please specify)</label>
</div>
<div class="gchoice gchoice_43_53_7">
<input class="gfield-choice-input" name="input_53" type="radio" value="gf_other_choice" id="choice_43_53_7" onchange="if (!window.__cfRLUnblockHandlers) return false; gformToggleRadioOther( this )">
<label for="choice_43_53_7" id="label_43_53_7" class="gform-field-label gform-field-label--type-inline">Other</label><br><input id="input_43_53_other" class="gchoice_other_control" name="input_53_other" type="text" value="Other"
aria-label="Other Choice, please specify" disabled="disabled">
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label">
<input type="button" id="gform_previous_button_43_44" class="gform_previous_button gform-theme-button gform-theme-button--secondary button" value="Previous"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("2"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("2"); jQuery("#gform_43").trigger("submit",[true]); } "> <input
type="button" id="gform_next_button_43_44" class="gform_next_button gform-theme-button button" value="Next"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("4"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("4"); jQuery("#gform_43").trigger("submit",[true]); } ">
</div>
</div>
<div id="gform_page_43_4" class="gform_page" data-js="page-field-id-44" style="display:none;">
<div class="gform_page_fields">
<div id="gform_fields_43_4" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_50"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-checkbox gfield--width-full gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_50">
<legend class="gfield_label gform-field-label gfield_label_before_complex">Which DevSecOps practices are widely used for actively developed projects (not legacy) (Select all that apply):<span class="gfield_required"><span
class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_43_50">
<div class="gchoice gchoice_43_50_1">
<input class="gfield-choice-input" name="input_50.1" type="checkbox" value="gpoll4faf11bbd" id="choice_43_50_1">
<label for="choice_43_50_1" id="label_43_50_1" class="gform-field-label gform-field-label--type-inline">Automated unit and functional tests for quality run in the pipeline with merge blocking</label>
</div>
<div class="gchoice gchoice_43_50_2">
<input class="gfield-choice-input" name="input_50.2" type="checkbox" value="gpoll448578a72" id="choice_43_50_2">
<label for="choice_43_50_2" id="label_43_50_2" class="gform-field-label gform-field-label--type-inline">Automated application security testing (AST) in development and (SAST/IAST) runs in the pipeline</label>
</div>
<div class="gchoice gchoice_43_50_3">
<input class="gfield-choice-input" name="input_50.3" type="checkbox" value="gpoll4192ab952" id="choice_43_50_3">
<label for="choice_43_50_3" id="label_43_50_3" class="gform-field-label gform-field-label--type-inline">Automated AST tools to find vulnerabilities in the code you import (SCA) run in the pipeline</label>
</div>
<div class="gchoice gchoice_43_50_4">
<input class="gfield-choice-input" name="input_50.4" type="checkbox" value="gpoll43dc8a903f" id="choice_43_50_4">
<label for="choice_43_50_4" id="label_43_50_4" class="gform-field-label gform-field-label--type-inline">Merge blocking at current policy level for AST checks</label>
</div>
<div class="gchoice gchoice_43_50_5">
<input class="gfield-choice-input" name="input_50.5" type="checkbox" value="gpoll43c635e38e" id="choice_43_50_5">
<label for="choice_43_50_5" id="label_43_50_5" class="gform-field-label gform-field-label--type-inline">Secrets management so no secrets stored in source code repositories</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label">
<input type="button" id="gform_previous_button_43_48" class="gform_previous_button gform-theme-button gform-theme-button--secondary button" value="Previous"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("3"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("3"); jQuery("#gform_43").trigger("submit",[true]); } "> <input
type="button" id="gform_next_button_43_48" class="gform_next_button gform-theme-button button" value="Next"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("5"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("5"); jQuery("#gform_43").trigger("submit",[true]); } ">
</div>
</div>
<div id="gform_page_43_5" class="gform_page" data-js="page-field-id-48" style="display:none;">
<div class="gform_page_fields">
<div id="gform_fields_43_5" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_55"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-checkbox gfield--width-full field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_55">
<legend class="gfield_label gform-field-label gfield_label_before_complex">How do you assess and mitigate risk of For NON actively developed products (legacy) (Select all that apply):</legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_43_55">
<div class="gchoice gchoice_43_55_1">
<input class="gfield-choice-input" name="input_55.1" type="checkbox" value="gpoll557eebe10c" id="choice_43_55_1">
<label for="choice_43_55_1" id="label_43_55_1" class="gform-field-label gform-field-label--type-inline">In-production scans using DAST products like Qualys, Nessus, etc.</label>
</div>
<div class="gchoice gchoice_43_55_2">
<input class="gfield-choice-input" name="input_55.2" type="checkbox" value="gpoll55d11adf89" id="choice_43_55_2">
<label for="choice_43_55_2" id="label_43_55_2" class="gform-field-label gform-field-label--type-inline">Periodic penetration testing</label>
</div>
<div class="gchoice gchoice_43_55_3">
<input class="gfield-choice-input" name="input_55.3" type="checkbox" value="gpoll55a150209e" id="choice_43_55_3">
<label for="choice_43_55_3" id="label_43_55_3" class="gform-field-label gform-field-label--type-inline">Periodic running of AST tools</label>
</div>
<div class="gchoice gchoice_43_55_4">
<input class="gfield-choice-input" name="input_55.4" type="checkbox" value="gpoll554d09387c" id="choice_43_55_4">
<label for="choice_43_55_4" id="label_43_55_4" class="gform-field-label gform-field-label--type-inline">Manual code reviews by security specialists</label>
</div>
<div class="gchoice gchoice_43_55_5">
<input class="gfield-choice-input" name="input_55.5" type="checkbox" value="gpoll55a7a8bf83" id="choice_43_55_5">
<label for="choice_43_55_5" id="label_43_55_5" class="gform-field-label gform-field-label--type-inline">Use of third-party security assessment services</label>
</div>
<div class="gchoice gchoice_43_55_6">
<input class="gfield-choice-input" name="input_55.6" type="checkbox" value="gpoll55fc2bcf7e" id="choice_43_55_6">
<label for="choice_43_55_6" id="label_43_55_6" class="gform-field-label gform-field-label--type-inline">No assessment or mitigation effort is happening</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label">
<input type="button" id="gform_previous_button_43_54" class="gform_previous_button gform-theme-button gform-theme-button--secondary button" value="Previous"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("4"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("4"); jQuery("#gform_43").trigger("submit",[true]); } "> <input
type="button" id="gform_next_button_43_54" class="gform_next_button gform-theme-button button" value="Next"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("6"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("6"); jQuery("#gform_43").trigger("submit",[true]); } ">
</div>
</div>
<div id="gform_page_43_6" class="gform_page" data-js="page-field-id-54" style="display:none;">
<div class="gform_page_fields">
<div id="gform_fields_43_6" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_6"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-checkbox gfield--width-full gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_6">
<legend class="gfield_label gform-field-label gfield_label_before_complex">How do you resolve the security issues found? (Select all that apply):<span class="gfield_required"><span
class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_43_6">
<div class="gchoice gchoice_43_6_1">
<input class="gfield-choice-input" name="input_6.1" type="checkbox" value="gpoll6a77f44ff" id="choice_43_6_1">
<label for="choice_43_6_1" id="label_43_6_1" class="gform-field-label gform-field-label--type-inline">Findings are manually triaged</label>
</div>
<div class="gchoice gchoice_43_6_2">
<input class="gfield-choice-input" name="input_6.2" type="checkbox" value="gpoll6c5446642" id="choice_43_6_2">
<label for="choice_43_6_2" id="label_43_6_2" class="gform-field-label gform-field-label--type-inline">Findings are communicated to engineering via mostly manual processes</label>
</div>
<div class="gchoice gchoice_43_6_3">
<input class="gfield-choice-input" name="input_6.3" type="checkbox" value="gpoll637103aa7" id="choice_43_6_3">
<label for="choice_43_6_3" id="label_43_6_3" class="gform-field-label gform-field-label--type-inline">Finding above a certain severity automatically populate engineering backlogs</label>
</div>
<div class="gchoice gchoice_43_6_4">
<input class="gfield-choice-input" name="input_6.4" type="checkbox" value="gpoll606fb4fba" id="choice_43_6_4">
<label for="choice_43_6_4" id="label_43_6_4" class="gform-field-label gform-field-label--type-inline">Service level agreements (SLAs) are enforced based on severity</label>
</div>
<div class="gchoice gchoice_43_6_5">
<input class="gfield-choice-input" name="input_6.5" type="checkbox" value="gpoll61ac6faab" id="choice_43_6_5">
<label for="choice_43_6_5" id="label_43_6_5" class="gform-field-label gform-field-label--type-inline">An exception process exists to allow the business to accept risk</label>
</div>
<div class="gchoice gchoice_43_6_6">
<input class="gfield-choice-input" name="input_6.6" type="checkbox" value="gpoll644274ebf" id="choice_43_6_6">
<label for="choice_43_6_6" id="label_43_6_6" class="gform-field-label gform-field-label--type-inline">The exception process is rarely used and must be renewed periodically</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label">
<input type="button" id="gform_previous_button_43_35" class="gform_previous_button gform-theme-button gform-theme-button--secondary button" value="Previous"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("5"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("5"); jQuery("#gform_43").trigger("submit",[true]); } "> <input
type="button" id="gform_next_button_43_35" class="gform_next_button gform-theme-button button" value="Next"
onclick="if (!window.__cfRLUnblockHandlers) return false; jQuery("#gform_target_page_number_43").val("7"); jQuery("#gform_43").trigger("submit",[true]); "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ jQuery("#gform_target_page_number_43").val("7"); jQuery("#gform_43").trigger("submit",[true]); } ">
</div>
</div>
<div id="gform_page_43_7" class="gform_page" data-js="page-field-id-35" style="display:none;">
<div class="gform_page_fields">
<div id="gform_fields_43_7" class="gform_fields top_label form_sublabel_below description_below validation_below">
<fieldset id="field_43_51"
class="gfield gfield--type-poll gfield--type-choice gfield--input-type-checkbox gfield--width-full gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible gpoll_field"
data-field-class="gpoll_field" data-js-reload="field_43_51">
<legend class="gfield_label gform-field-label gfield_label_before_complex">Which best describes security training for your developers? (Select all that apply)<span class="gfield_required"><span
class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_43_51">
<div class="gchoice gchoice_43_51_1">
<input class="gfield-choice-input" name="input_51.1" type="checkbox" value="gpoll6a77f44ff" id="choice_43_51_1">
<label for="choice_43_51_1" id="label_43_51_1" class="gform-field-label gform-field-label--type-inline">Monthly</label>
</div>
<div class="gchoice gchoice_43_51_2">
<input class="gfield-choice-input" name="input_51.2" type="checkbox" value="gpoll6c5446642" id="choice_43_51_2">
<label for="choice_43_51_2" id="label_43_51_2" class="gform-field-label gform-field-label--type-inline">Quarterly</label>
</div>
<div class="gchoice gchoice_43_51_3">
<input class="gfield-choice-input" name="input_51.3" type="checkbox" value="gpoll637103aa7" id="choice_43_51_3">
<label for="choice_43_51_3" id="label_43_51_3" class="gform-field-label gform-field-label--type-inline">Annually</label>
</div>
<div class="gchoice gchoice_43_51_4">
<input class="gfield-choice-input" name="input_51.4" type="checkbox" value="gpoll606fb4fba" id="choice_43_51_4">
<label for="choice_43_51_4" id="label_43_51_4" class="gform-field-label gform-field-label--type-inline">As part of onboarding</label>
</div>
<div class="gchoice gchoice_43_51_5">
<input class="gfield-choice-input" name="input_51.5" type="checkbox" value="gpoll61ac6faab" id="choice_43_51_5">
<label for="choice_43_51_5" id="label_43_51_5" class="gform-field-label gform-field-label--type-inline">Just-in-time via integration with AST tools when a vulnerability is found</label>
</div>
<div class="gchoice gchoice_43_51_6">
<input class="gfield-choice-input" name="input_51.6" type="checkbox" value="gpoll5196126385" id="choice_43_51_6">
<label for="choice_43_51_6" id="label_43_51_6" class="gform-field-label gform-field-label--type-inline">No formal training provided</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_page_footer top_label"><input type="submit" id="gform_previous_button_43" class="gform_previous_button gform-theme-button gform-theme-button--secondary button" value="Previous"
onclick="if (!window.__cfRLUnblockHandlers) return false; if(window["gf_submitting_43"]){return false;} if( !jQuery("#gform_43")[0].checkValidity || jQuery("#gform_43")[0].checkValidity()){window["gf_submitting_43"]=true;} "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ if(window["gf_submitting_43"]){return false;} if( !jQuery("#gform_43")[0].checkValidity || jQuery("#gform_43")[0].checkValidity()){window["gf_submitting_43"]=true;} jQuery("#gform_43").trigger("submit",[true]); }">
<input type="submit" id="gform_submit_button_43" class="gform_button button" value="Submit"
onclick="if (!window.__cfRLUnblockHandlers) return false; if(window["gf_submitting_43"]){return false;} if( !jQuery("#gform_43")[0].checkValidity || jQuery("#gform_43")[0].checkValidity()){window["gf_submitting_43"]=true;} "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ if(window["gf_submitting_43"]){return false;} if( !jQuery("#gform_43")[0].checkValidity || jQuery("#gform_43")[0].checkValidity()){window["gf_submitting_43"]=true;} jQuery("#gform_43").trigger("submit",[true]); }"
data-conditional-logic="visible"> <input type="hidden" name="gform_ajax" value="form_id=43&title=&description=1&tabindex=0&theme=gravity-theme">
<input type="hidden" class="gform_hidden" name="is_submit_43" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="43">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_43"
value="WyJ7XCIxNlwiOltcImEyMzhiOGEyYmZhOTZhNTk4NDU3ZWFkNjM4ZDIwNDhlXCIsXCJiNzAyOTMwZGM4OGY5MTI2Njg1YjRiZjZiZTBmNWEyY1wiXSxcIjRcIjpbXCJkNWY2YTMyNjg3NzBmMjIwZGVlYTVjYmE0ODc0ZWU4ZFwiLFwiYzlkMmQ1NTRjODlhNDkyZmI5ZTRjZmI4N2Y1YjllYzdcIixcIjYyMzhmYjcwYjk4Mzk1MzE0OWE2ODE1MzFiMDZlM2RmXCJdLFwiNTAuMVwiOlwiZDVmNmEzMjY4NzcwZjIyMGRlZWE1Y2JhNDg3NGVlOGRcIixcIjUwLjJcIjpcImM5ZDJkNTU0Yzg5YTQ5MmZiOWU0Y2ZiODdmNWI5ZWM3XCIsXCI1MC4zXCI6XCI2MjM4ZmI3MGI5ODM5NTMxNDlhNjgxNTMxYjA2ZTNkZlwiLFwiNTAuNFwiOlwiODA3Y2ZmN2ExOTcwNGI2MDg5OGRlODFmMDUyOWU1ZDBcIixcIjUwLjVcIjpcIjM5MWY3ZjUxMzUzMmI1NTEzNmVlYWQ4NWU3Mjg4OTRlXCIsXCI1NS4xXCI6XCJmZDkxZmI4MTI3ZDk5ODU1OTU5ZDFmOWFlMmU2YzYwNlwiLFwiNTUuMlwiOlwiODFmOWYzMDhkMDBmNTVmZTI2MTlkOGVmNDMwMjJlNWFcIixcIjU1LjNcIjpcIjVhMzc2MjdiN2VjYmViNWFmODFhYTdjYzU2MmRlMTBmXCIsXCI1NS40XCI6XCI4NGQwMTg4MWZlM2UzNzZiN2MwNGE3MTg3ZjcyY2E1ZFwiLFwiNTUuNVwiOlwiZDZjOWI0MDY5ZTA2Yjg3NGE1MmE4NTQxMWYwMmVlZjRcIixcIjU1LjZcIjpcIjllZjhhZGFlMzg3N2MyYjkxZTJhYWEyYjQ1NzNkNDljXCIsXCI2LjFcIjpcIjJlNWM5MWVlZTE2YmNkZWU2ZGFiNTI0NThkY2FkYWM5XCIsXCI2LjJcIjpcIjdkZWZiZjU0ZWQ5MWM2ZmI5NzY0ZDdmZGRkOTFjNjMwXCIsXCI2LjNcIjpcIjZjY2I4ZTY5ZmUxNWQ5NWZjMTZiZTk0ODAxNDUyZTAwXCIsXCI2LjRcIjpcImIzZmEwMzEwYjU5MDZlOWEzYTUyNTIxODYzZTY2MzAyXCIsXCI2LjVcIjpcIjc1YTE0OWY4ZjQzZjY1ZDVkZmMzMjlhZjI1NjE5NjA1XCIsXCI2LjZcIjpcIjI5YWVkZmFlMzdjMmRlNGNiOWVhYWEyYjMwZmUxNWE3XCIsXCI1MS4xXCI6XCIyZTVjOTFlZWUxNmJjZGVlNmRhYjUyNDU4ZGNhZGFjOVwiLFwiNTEuMlwiOlwiN2RlZmJmNTRlZDkxYzZmYjk3NjRkN2ZkZGQ5MWM2MzBcIixcIjUxLjNcIjpcIjZjY2I4ZTY5ZmUxNWQ5NWZjMTZiZTk0ODAxNDUyZTAwXCIsXCI1MS40XCI6XCJiM2ZhMDMxMGI1OTA2ZTlhM2E1MjUyMTg2M2U2NjMwMlwiLFwiNTEuNVwiOlwiNzVhMTQ5ZjhmNDNmNjVkNWRmYzMyOWFmMjU2MTk2MDVcIixcIjUxLjZcIjpcIjliOWZmYWQzMWZjNDAxYWY1NmUwYmFjMjVkNDE2NmQ3XCJ9IiwiYjY1YjQ2Y2M5ODk3OTYxNmRhYjMzMmUwZTFkZDBlMTgiXQ==">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_43" id="gform_target_page_number_43" value="2">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_43" id="gform_source_page_number_43" value="1">
<input type="hidden" name="gform_field_values" value="">
<a href="javascript:void(0)" class="gpoll_button gform-theme-button gform-theme-button--secondary button" target="_blank">View results</a>
<div class="gpoll_summary"></div>
</div>
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1725958690731">
<script type="text/javascript">
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
Tuesday, September 10, 2024
*
*
*
*
*
*
*
SECURITY BOULEVARD
The Home of the Security Bloggers Network
Community Chats Webinars Library
* Home
* Cybersecurity News
* Features
* Industry Spotlight
* News Releases
* Security Creators Network
* Latest Posts
* Syndicate Your Blog
* Write for Security Boulevard
* Webinars
* Upcoming Webinars
* Calendar View
* On-Demand Webinars
* Events
* Upcoming Events
* On-Demand Events
* Sponsored Content
* Chat
* Security Boulevard Chat
* Marketing InSecurity Podcast
* Techstrong.tv Podcast
* TechstrongTV - Twitch
* Library
* Related Sites
* Techstrong Group
* Cloud Native Now
* DevOps.com
* Security Boulevard
* Techstrong Research
* Techstrong TV
* Techstrong.tv Podcast
* Techstrong.tv - Twitch
* Devops Chat
* DevOps Dozen
* DevOps TV
* Media Kit
* About
* Sponsor
* Analytics
* AppSec
* CISO
* Cloud
* DevOps
* GRC
* Identity
* Incident Response
* IoT / ICS
* Threats / Breaches
* More
* Blockchain / Digital Currencies
* Careers
* Cyberlaw
* Mobile
* Social Engineering
* Humor
Hot Topics
* Seventh Sense Unveils Revolutionary Privacy-Preserving Face-Based Public Key
Infrastructure and eID Solution
* Legal Impact of GDPR Data Policy Violations
* Eclypsium Product Roadmap
* Why Investing in Quality Analysts is Investing in Your Future
* Mitigating Unforeseen SaaS Risks in M&A Integrations | Grip
* Seventh Sense Unveils Revolutionary Privacy-Preserving Face-Based Public Key
Infrastructure and eID Solution
* Legal Impact of GDPR Data Policy Violations
* Eclypsium Product Roadmap
* Why Investing in Quality Analysts is Investing in Your Future
* Mitigating Unforeseen SaaS Risks in M&A Integrations | Grip
TwitterLinkedInFacebookRedditEmailTeilen
Security Bloggers Network
Home » Security Bloggers Network » Analysis of BlackByte Ransomware’s Go-Based
Variants
ANALYSIS OF BLACKBYTE RANSOMWARE’S GO-BASED VARIANTS
by Javier Vicente on May 3, 2022
Key Points
BlackByte is a full-featured ransomware family that first emerged around July
2021
The ransomware was originally written in C# and later redeveloped in the Go
programming language around September 2021
The threat group exfiltrates data prior to deploying ransomware and leaks the
stolen information if a ransom is not paid
The group has demanded multi-million dollar ransoms from some victims
BlackByte ransomware employs various anti-analysis techniques including a
multitude of dynamic string obfuscation algorithms
In early versions of the ransomware, file encryption utilized a hardcoded
1,024-bit RSA public key along with a 128-bit AES key that was derived from a
file retrieved from a command and control server
More recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC)
for asymmetric encryption and ChaCha20 for symmetric file encryption
Introduction
BlackByte is a Ransomware-as-a-Service (RaaS) group that has been targeting
corporations worldwide since July 2021. Previous versions of the ransomware were
written in C#. More recently, the authors redeveloped the ransomware using the
Go programming language. The BlackByte Go variant was used in attacks described
in an FBI advisory that warned BlackByte had compromised numerous businesses,
including entities in US critical infrastructure sectors. In this post, Zscaler
ThreatLabz analyzes two variants of the Go-based implementation of BlackByte
ransomware.
Technical Analysis
Variants
ThreatLabz has identified two variants of the Go-based variant of BlackByte. The
first variant was seen in-the-wild around September 2021 and shares many
similarities with the C# version including the commands executed to perform
lateral propagation, privilege escalation, and file encryption algorithms. A
more recent Go-based variant was introduced around February 2022. This new
variant introduced many additional features and updated the file encryption
algorithms. In this blog, for brevity, the Go-based BlackByte variant 1 will be
referred to as BlackByte v1 and the second variant will be referred to as
BlackByte v2.
Initialization
Before BlackByte performs file encryption, the ransomware first performs
initialization. Most of these initialization functions are very similar or
identical to the C# variant of BlackByte.
Mutex Creation
BlackByte creates a mutex using a value that is hardcoded in the malware, for
example: Global\7b55551e-a59c-4252-a34a-5c80372b3014. If the mutex exists,
BlackByte will terminate. This ensures that there is only one active instance of
BlackByte running at a time.
Identify System Language
BlackByte ransomware resolves the victim's system language by comparing the
language ID values with those shown in Table 1. If the system language matches
any from this list, BlackByte will exit without performing file encryption.
Language ID
Language
1049
Russian
1058
Ukrainian
1059
Belarusian
1064
Tajik
1067
Armenian
1068
Azerbaijani Latin
1079
Georgian
1087
Kazakh
1090
Turkmen
1091
Uzbek Latin
2092
Azerbaijani Cyrillic
2115
Uzbek Cyrillic
Table 1. System languages avoided by BlackByte ransomware
These languages are specifically avoided by BlackByte to prevent encrypting
files on systems that are located in Commonwealth of Independent States (CIS)
countries. This likely indicates that the threat actors behind BlackByte are
located in Eastern Europe and/or Russia. This is designed to reduce the threat
that local law enforcement in those regions will pursue criminal prosecution
against those responsible for BlackByte.
Enable Long Paths
The malware executes the following command to avoid issues that may occur when
encrypting files with long path names:
C:\WINDOWS\system32\cmd.exe /c reg add
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t
REG_DWORD /d 1 /f
Disable Controlled Folder Access
BlackByte executes the following command to disable controlled folder access:
Set-MpPreference -EnableControlledFolderAccess Disabled
The Windows controlled folder access feature is designed to protect data from
malicious applications such as ransomware. When enabled, files located in the
specified protected folders can not be modified by unauthorized applications.
Delete Shadow Copies
Similar to other ransomware families, BlackByte deletes shadow copies to prevent
a victim from easily recovering files from backups. There are two methods that
BlackByte uses to delete shadow copies. The first executes the following
PowerShell command:
$x =
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+
'AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA'+
'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x
The Base64 encoding string when decoded is the following: Get-WmiObject
Win32_Shadowcopy | ForEach-Object {$_.Delete();}
BlackByte also executes the commands to delete shadow copies for each drive:
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>:
/on=<unit>: /maxsize=401MB
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>:
/on=<unit>: /maxsize=unbounded
Process Termination and Stop / Start Services
The following commands are executed by BlackByte to stop services that may
hinder file encryption:
C:\WINDOWS\system32\sc.exe config SQLTELEMETRY start= disabled
C:\WINDOWS\system32\sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
C:\WINDOWS\system32\sc.exe config SQLWriter start= disabled
C:\WINDOWS\system32\sc.exe config SstpSvc start= disabled
C:\WINDOWS\system32\sc.exe config MBAMService start= disabled
C:\WINDOWS\system32\sc.exe config wuauserv start= disabled
BlackByte will also start the following services:
C:\WINDOWS\system32\sc.exe config Dnscache start= auto
C:\WINDOWS\system32\sc.exe config fdPHost start= auto
C:\WINDOWS\system32\sc.exe config FDResPub start= auto
C:\WINDOWS\system32\sc.exe config SSDPSRV start= auto
C:\WINDOWS\system32\sc.exe config upnphost start= auto
C:\WINDOWS\system32\sc.exe config RemoteRegistry start= auto
BlackByte ransomware terminates the following processes shown in Table 2 at the
beginning of the execution:
uranium
processhacker
procmon
pestudio
procmon64
x32dbg
x64dbg
cffexplorer
procexp64
procexp
pslist
tcpview
tcpvcon
dbgview
rammap
rammap64
vmmap
ollydbg
autoruns
autorunsc
regmon
idaq
idaq64
immunitydebugger
wireshark
dumpcap
hookexplorer
importrec
petools
lordpe
sysinspector
proc_analyzer
sysanalyzer
sniff_hit
windbg
joeboxcontrol
joeboxserver
joeboxserver
resourcehacker
fiddler
httpdebugger
dumpit
rammap
rammap64
vmmap
agntsvc
cntaosmgr
dbeng50
dbsnmp
encsvc
excel
firefox
firefoxconfig
infopath
isqlplussvc
mbamtray
msaccess
msftesql
mspub
mydesktopqos
mydesktopservice
mysqld
mysqld-nt
mysqld-opt
Ntrtscan
ocautoupds
ocomm
ocssd
onenote
oracle
outlook
PccNTMon
powerpnt
sqbcoreservice
sql
sqlagent
sqlbrowser
sqlservr
sqlwriter
steam
synctime
tbirdconfig
thebat
thebat64
thunderbird
tmlisten
visio
winword
wordpad
xfssvccon
zoolz
veeam
backup
sql
memtas
vss
sophos
svc$
mepocs
wuauserv
filemon
Table 2. Process names terminated by BlackByte ransomware
Many of these process names are related to business applications. BlackByte
kills these processes to avoid open file handle permission issues when
performing file encryption of the victim's files. In addition, the list contains
a large number of malware analyst tools that can be used to reverse engineer the
functionality of the ransomware.
BlackByte also terminates the following services that are associated with
antivirus products, backup software, and business applications including
financial software, email clients, and databases as shown below in Table 3.
klvssbridge64
vapiendpoint
ShMonitor
Smcinst
SmcService
SntpService
svcGenericHost
swi_
TmCCSF
tmlisten
TrueKey
TrueKeyScheduler
TrueKeyServiceHelper
WRSVC
McTaskManager
OracleClientCache80
mfefire
wbengine
mfemms
RESvc
mfevtp
sacsvr
SAVAdminService
SAVService
SepMasterService
PDVFSService
ESHASRV
SDRSVC
FA_Scheduler
KAVFS
KAVFSGT
kavfsslp
klnagent
macmnsvc
masvc
MBAMService
MBEndpointAgent
McShield
audioendpointbuilder
Antivirus
AVP
DCAgent
bedbg
EhttpSrv
MMS
ekrn
EPSecurityService
EPUpdateService
ntrtscan
EsgShKernel
msexchangeadtopology
AcrSch2Svc
MSOLAP$TPSAMA
Intel(R) PROSet Monitoring
msexchangeimap4
ARSM
unistoresvc_1af40a
ReportServer$TPS
MSOLAP$SYSTEM_BGC
W3Svc
MSExchangeSRS
ReportServer$TPSAMA
Zoolz 2 Service
MSOLAP$TPS
aphidmonitorservice
SstpSvc
MSExchangeMTA
ReportServer$SYSTEM_BGC
Symantec System Recovery
UI0Detect
MSExchangeSA
MSExchangeIS
ReportServer
MsDtsServer110
POP3Svc
MSExchangeMGMT
SMTPSvc
MsDtsServer
IisAdmin
MSExchangeES
EraserSvc11710
Enterprise Client Service
MsDtsServer100
NetMsmqActivator
stc_raw_agent
VSNAPVSS
PDVFSService
AcrSch2Svc
Acronis
CASAD2DWebSvc
CAARCUpdateSvc
McAfee
avpsus
DLPAgentService
mfewc
BMR Boot Service
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
YooIT
zhudongfangyu
Table 3. Service names terminated by BlackByte ransomware
Windows Firewall
BlackByte disables the Windows firewall via the command:
netsh advfirewall set allprofiles state off
Windows Defender
The ransomware executes the following command to delete task manager, resource
monitor, and stop the Windows Defender service:
cmd /c del C:\Windows\System32\Taskmgr.exe /f /q & del
C:\Windows\System32\resmon.exe /f /q &
powershell -command "$x =
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String
('V'+'wBp'+'A'+'G4AR'+'AB'+'lAG'+'YAZQBuAGQA'));Stop-Service -Name
$x;Set-Service -StartupType Disabled
The Base64 encoded string above decodes to WinDefend.
Raccine Anti-Ransomware
BlackByte terminates and uninstalls an anti-ransomware product known as Raccine.
The Raccine processes that are terminated are raccine.exe and
raccinesettings.exe. To uninstall Raccine, BlackByte deletes the following
registry keys and values:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine
HKEY_CURRENT_USER\SOFTWARE\Raccine
HKEY_LOCAL_MACHINE\SOFTWARE\Raccine
BlackByte then deletes Raccine's scheduled task via the command:
C:\WINDOWS\system32\schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F
Privilege Escalation
The ransomware executes the following commands to disable UAC remote
restrictions:
C:\WINDOWS\system32\cmd.exe /c reg add
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v
LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
BlackByte sets the EnableLinkedConnections registry value to force symbolic
links to be written to link logon sessions as follows:
C:\WINDOWS\system32\cmd.exe /c reg add
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v
EnableLinkedConnections /t REG_DWORD /d 1 /f
In BlackByte v2, an additional privilege escalation method was added that
exploits the CMSTPLUA COM interface to bypass UAC. The ShellExec method of the
interface ICMLuaUtil can be invoked with arbitrary commands with elevated
privileges using the ElevationMoniker
Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allows
BlackByte v2 to execute the svchost.exe process that it injects into with
elevated privileges. This privilege escalation technique has also been utilized
by other ransomware groups including REvil and LockBit.
Lateral Propagation
BlackByte ransomware performs network enumeration and can propagate across a
local network. First it executes the following commands to enable network
discovery and file and printer sharing:
C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule
"group=\"Network Discovery\"" new enable=Yes
C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule "group=\"File
and Printer Sharing\"" new enable=Yes
The following commands are then executed to discover other computers and network
file shares:
net view
arp -a
BlackByte loads the Active Directory module RSAT-AD-PowerShell and queries for
other computers via the following commands:
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe Install-WindowsFeature
-Name \"RSAT-AD-PowerShell\" –IncludeAllSubFeature
powershell -command "Import-Module ActiveDirectory;Get-ADComputer -Filter *
-Properties * | FT Name"
If the -a flag is passed via the command-line, BlackByte attempts to copy itself
to remote computer's public folders via the administrative share
\\<remote_computer_name>\c$\Users\Public\<filename.exe>. If that
attempt is unsuccessful, BlackByte will default to the path:
\\<remote_computer_name>\Users\Public\<filename.exe>. BlackByte uses
the Windows task scheduler to execute the ransomware on the remote host using
the following command:
C:\Windows\system32\schtasks.exe /Create /S <remote_computername> /TN
<taskname> /TR "C:\Users\Public\<filename> -s <passphrase>"
/ru SYSTEM /sc onlogon /RL HIGHEST /f
In BlackByte v2, the filename and task name are pseudorandomly generated using a
function that produces eight upper and lowercase alphabetic and numeric
characters (e.g., BqgDOVYL.exe and KYL8EpE9, respectively). BlackByte v1 uses a
hardcoded filename and command-line argument complex.exe -single and the
hardcoded task name asd.
After scheduling the task, the remote BlackByte binary is executed using the
command:
C:\Windows\system32\schtasks.exe /S <remote_computername> /Run /TN
<taskname>
After the task is executed, BlackByte deletes the remote task using the command:
C:\Windows\system32\schtasks.exe /Delete /S <remote_computername> /TN
<taskname> /f
BlackByte then deletes the copy of itself on the remote host network share.
BlackByte also attempts to access administrative shares A$ through Z$ and the
folders shown in Table 4.
Users
Backup
Veeam
Consejo
homes
home
media
common
Storage Server
Public
Web
Images
Downloads
BackupData
ActiveBackupForBusiness
Backups
NAS-DC
DCBACKUP
DirectorFiles
share
Table 4. Network shares targeted by BlackByte ransomware
Check for Analysis Tools
The malware checks the following DLL modules in memory shown in Table 5 and
exits if they are present:
DLL Filename
Description
DBGHELP.DLL
Windows DbgHelp Library
SbieDll.dll
Sandboxie
SxIn.dll
Qihu 360 Total Security
Sf2.dll
Avast Antivirus
snxhk.dll
Avast Antivirus
cmdvrt32.dll
COMODO Internet Security
Table 5. DLLs Identified by BlackByte ransomware
Disable Debugging
BlackByte attempts to prevent debugging tools from monitoring and attaching to
various processes by removing the following registry values under
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
vssadmin.exe
wbadmin.exe
bcdedit.exe
powershell.exe
diskshadow.exe
net.exe
taskkill.exe
wmic.exe
fsutil.exe
Process Injection
BlackByte v1 injects the ransomware code in an instance of regedit.exe, while
BlackByte v2 injects itself into an instance of svchost.exe. After the process
is injected with the ransomware code, the file encryption is then performed in
the context of the regedit.exe or svchost.exe process. BlackByte then deletes
its original binary on disk by executing the command:
C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del
<blackbyte_filepath.exe> /F /Q
The ping command is used to delay the file deletion by 10 seconds. The process
injection functionality may be able to bypass some security software detections.
Unmount Virtual Machine Images
In order to identify virtual machines on the victim's system, BlackByte will
execute the command:
powershell Get-VM
If any virtual machine files are located, BlackByte will attempt to unmount the
image by executing the following command line:
powershell.exe Dismount-DiskImage -ImagePath <filename.vhd>
Backup Volumes
The malware executes mountvol.exe to try to mount additional volumes:
C:\WINDOWS\system32\mountvol.exe A: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe B: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe E: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe F: \\?\Volume{[GUID]}\
This is likely an attempt to mount and encrypt backup volumes to further prevent
file recovery after encryption.
File Encryption
BlackByte enumerates all physical drives and network shares skipping files that
contain the following substrings in Table 6:
blackbyte
ntdetect.com
bootnxt
ntldr
recycle.bin
bootmgr
thumbs.db
ntuser.dat
bootsect.bak
autoexec.bat
iconcache.db
bootfont.bin
Table 6. BlackByte ransomware file substring filter list
BlackByte avoids the following extensions shown in Table 7.
url
msilog
log
ldf
lock
theme
msi
sys
wpx
cpl
adv
msc
scr
key
ico
dll
hta
deskthemepack
nomedia
msu
rtp
msp
idx
ani
386
diagcfg
bin
mod
ics
com
hlp
spl
nls
cab
exe
diagpkg
icl
ocx
rom
prf
themepack
msstyles
icns
mpa
drv
cur
diagcab
cmd
shs
Table 7. File extensions skipped by BlackByte ransomware
BlackByte will also skip files located in the following directories shown in
Table 8.
bitdefender
trend micro
avast software
intel
common files
programdata
windowsapps
appdata
mozilla
application data
google
windows.old
system volume information
program files (x86)
boot
tor browser
windows
intel
perflogs
msocache
Table 8. Directories whitelisted by BlackByte ransomware
BlackByte optimizes encryption speed based on the targeted file size according
to the following rules:
Filesize
Encryption Algorithm
Size <= 5MB
Encrypt the entire file
15MB >= Size > 5MB
Encrypt the first 1MB and last 1MB
150MB >= Size > 15MB
Encrypt the first 5MB and last 5MB
Size > 150MB
Encrypt the first 50MB and last 50MB
BlackByte renames encrypted files with the extension .blackbyte. The ransomware
creates a DefaultIcon registry key under HKEY_CLASSES_ROOT\.blackbyte that
points to an icon file, so that every file that is encrypted will show this icon
in Windows explorer. In addition, the registry names s1159 and s2359 are set to
BLACKBYTE under HKEY_CURRENT_USER\Control Panel\International. These registry
values control the time format for AM/PM. As a result, Windows will show
BLACKBYTE instead of AM/PM as shown below in Figure 2.
Figure 2. BlackByte AM/PM time format modification
This time format modification is performed by executing the commands:
reg add "HKCU\Control Panel\International" /v s1159 /t REG_SZ /d BLACKBYTE /f
reg add "HKCU\Control Panel\International" /v s2359 /t REG_SZ /d BLACKBYTE /f
File Encryption Algorithms (Variant 1)
BlackByte v1 must be executed with the command line argument -single followed by
a SHA256 hash. This hash is combined with a TOR onion URL (e.g.,
hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad[.]onion/). The
SHA256 hash given as an argument is concatenated to the onion URL to build the
URL of the victim ransom portal that is embedded in the ransom note. This URL is
substituted in the [LINK] field of the ransom note template.
When BlackByte v1 is executed, the malware tries to connect to a hardcoded URL
that hosts a file that is involved in the construction of an AES key that is
used to encrypt a victim's files. An example URL used for this purpose was
hxxps://185.93.6[.]31/mountain.png. The mechanism used to build the AES key is
very similar to the C# variant.
After the content of the file mountain.png is downloaded, BlackByte reads the
first 16 bytes of the file into a buffer and 24 bytes at the offset 0x410 of the
file into another buffer. These 24 bytes are used as key to create and
initialize a NewTripleDESCipher object from the Go Cryptographic API. This
object is used to decrypt the first 16 bytes of the file mountain.png. The
resulting 16-byte buffer will be used as a PBKDF2 password to derive the AES key
that will be used to encrypt the victim's files. The BlackByte PBKDF2 algorithm
uses SHA1 as the hashing function and 1,000 iterations to derive the AES key.
The password is converted to unicode and the unicode string BLACKBYTE_IS_COOL is
used as the salt. The following example Python code can be used to derive the
AES key used for file encryption.
Figure 3. Python code to decrypt BlackByte v1 files with the file (e.g.,
mountain.png) downloaded from the C2 server
Victim's files are encrypted with AES using CBC mode. The first 16 bytes of the
PBKDF2 derived key are used as AES key, and the same 16 bytes are used as the
initialization vector (IV). The same AES key is used to encrypt all the files on
a victim's machine.
The PBKDF2 password is encrypted with a hardcoded 1,024-bit RSA public key and
the resulting RSA-encrypted value is encoded with Base64. This Base64 encoded
string is substituted in the [KEY] field in the ransom note template. The threat
actor can decrypt the PBKDF2 password with their corresponding RSA private key,
derive the AES key, and thereafter, decrypt the victim's encrypted files. The
following is an example RSA public key that was hardcoded in BlackByte:
—–BEGIN PUBLIC KEY—–
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUBwECQuQiVGorPYvHrJM11OWV
E1PS8gaBqIAfPaR1rQHUEXu3iX/da/dCtV8Z27/SIA/ZYUNhTyUsX9Snjz8zve90
QAiG1c/BS81WWRax7M7i1rESStVwOaUDAj5w6cz9GwDMGYI+wve9Qyjtw5R6hr5I
qlIEig1Wy1X27vUC2wIDAQAB
—–END PUBLIC KEY—–
Ransom Note and BlackByte Icon (Variant 1)
The BlackByte ransom note and an image containing an icon file are stored as
Base64 encoded strings in the binary. After the encryption of the victim's
files, the ransom note is written to a file named BlackByteRestore.txt, and the
previously mentioned icon file is written to a file named BB.ico. An example
BlackByte v1 ransom note template is shown below in Figure 4. The BlackByte logo
uses the extended ASCII characters of the 8-bit code page 437 to create 3-D
block letters.
Figure 4. Go-based BlackByte v1 ransom note template
File Encryption Algorithms (Variant 2)
The second variant of BlackByte ransomware does not require a network connection
to start encryption. In addition, the ransomware's command-line parameters were
modified. BlackByte v2 requires two command line parameters:
sample.exe <flags> <passphrase>
The first parameter is a flag (e.g., -a) that controls specific behaviors of the
ransomware (e.g., to propagate across a network), while the second parameter is
a passphrase (e.g., 54726956) that is verified before file encryption commences.
If BlackByte is not provided with any command-line arguments, the ransomware
prints out the phrase BlackByte ransomware, 8-th generation, the most
destructive of all ransomware products, real natural disaster. and exits.
BlackByte v2 removed the RSA and AES file encryption algorithms from the
ransomware. The encryption algorithms were replaced with Curve25519 elliptic
curve cryptography for asymmetric encryption and ChaCha for symmetric algorithm.
The Curve25519 functions are statically compiled within BlackByte using Go
library code. BlackByte generates a random 32-byte buffer per file using the
Windows API function RtlGenRandom(). This random value is used as a file's
secret key. The file's public key is calculated as follows:
file_public_key = Curve25519(file_secret_key, base_point = 0x9)
The threat actor's Curve25519 public key is hardcoded in the binary and stored
as a Base64 encoded string. For the sample with the SHA256 hash
ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa, the hardcoded
Curve25519 public key was the string:
2BSTzcpdqRW/a2DRT3TiL9lN5INRmmn1lCQWzZhkfQs=
(d81493cdca5da915bf6b60d14f74e22fd94de483519a69f5942416cd98647d0b)
The shared secret is derived as follows:
shared_secret = Curve25519(file_secret_key, blackbyte_public_key)
The shared secret is hashed with SHA256 to derive a 32-byte ChaCha encryption
key. The ChaCha encryption key is then hashed again with SHA256 to derive the
ChaCha nonce (using 12 bytes starting at offset 10). Once the ChaCha key
parameters have been derived, they will be used to encrypt the file's content.
The encrypted data is written to the file (overwriting the original content).
Finally, the victim's 32-byte public key is concatenated to the encrypted
content of the file. The BlackByte v2 encryption algorithm is shown below in
Figure 5.
Figure 5. BlackByte v2 file encryption algorithm
The threat actor can use the file's public key together with the threat actor's
secret key to recover the shared secret and use it to decrypt the encrypted data
as follows:
shared_secret = Curve25519(blackbyte_secret_key, file_public_key)
The following Python code in Figure 6 can be used to decrypt BlackByte encrypted
data from a file that has been encrypted if the threat actor's private key is
obtained:
Figure 6. Python code to decrypt BlackByte v2 files with the threat actor's
private key
BlackByte v2 also encrypts the filename after encryption. The encryption is a
simple XOR layer with a hardcoded key, followed by Base64 encoding as shown in
Figure 7.
Figure 7. BlackByte v2 filename encryption
In the analyzed sample, the XOR key was fuckyou123. After a filename has been
encrypted, the file is renamed and the .blackbyte extension is concatenated.
Ransom Note and BlackByte Icon (Variant 2)
BlackByte v2 introduced some improvements to storing the ransom note and icon
file. The Base64 encoded blocks for the ransom note and icon file added an
XOR-based encryption layer. The XOR key to decrypt the ransom note and icon file
is embedded in the ransomware as an obfuscated string. The icon file is written
to the victim's %APPDATA% directory using a randomly generated filename
consisting of six upper and lowercase alphabetic and numeric characters (e.g.,
i2uOJh.ico).
BlackByte v2 contains a hardcoded TOR onion URL and path for the victim portal
rather than relying on the command-line for the path value. BlackByte v2 also
added a hardcoded password that is required to access the victim ransom portal.
An example password is:
gkaW_#DD[Aw_JTB@luXpJBdye6eLr@{bx5pHFA)T5FpMYJC]f|@
The BlackByte v2 ransom note template is shown below in Figure 8. The [LINK]
substring in the ransom note is replaced with the hardcoded BlackByte victim URL
and the [PASSW] substring is replaced with the victim-specific password for the
ransom portal.
Figure 8. BlackByte v2 ransom note template
An example ransom note when populated after file encryption has been performed
for BlackByte v2 is shown in Figure 9.
Figure 9. BlackByte v2 ransom note
After BlackByte encrypts files, the ransom note is written to each directory,
the encrypted files are renamed, and their icons are replaced by the BlackByte
icon.
Ransom Portal and Leak Site
When a victim accesses the link in the ransom portal, they are instructed to
enter the access key from the ransom note as shown in Figure 10.
Figure 10. BlackByte victim ransom portal
After a victim authenticates, they are provided the ransom demand and
instructions how to purchase Bitcoin. There is also a live chat feature as shown
in Figure 11.
Figure 11. BlackByte ransom negotiation portal
Victims are further pressured to pay the ransom, or risk having their data
publicly leaked on their TOR hidden service as shown in Figure 12.
Figure 12. BlackByte victim leak site
Print Bombing
In addition to dropping a ransom note on the victim's machine, the ransomware
sends a message to be printed by any connected printers. The printed ransom
message is an RTF file with the content shown below:
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0
Calibri;}}
{\*\generator Riched20 10.0.19041}\viewkind4\uc1
\pard\sa200\sl276\slmult1\qc\f0\fs56\lang9 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\pard\sa200\sl276\slmult1\par
}
In BlackByte v1, the message is written to the file C:\Users\tree.dll and the
following command is executed to print it:
C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1 ,75) do start wordpad.exe /p
C:\\Users\\tree.dll
In addition, a task named Task is created to print the message every hour:
C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn Task /tr
"C:\Windows\System32\cmd.exe
/c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll" /st 07:00
In BlackByte v2, the text of the message is written to a file with a random name
consisting of six upper and lowercase alphabetic and numeric characters. The
task name is also created randomly consisting of eight upper and lowercase
alphabetic and numeric characters. An example task command to print the ransom
message is shown below:
C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn 4y77VPNo /tr
"C:\Windows\System32\cmd.exe
/c for /l %x in (1,1,75) do start %SystemDrive%\Program Files\Windows
NT\Accessories\WordPad.exe /p
C:\Users\1HoWkK.dll" /st 07:00
Anti-Analysis / Anti-Forensics Techniques
String Obfuscation
Both Go-based BlackByte variants encrypt most strings using a tool similar to
AdvObfuscator. Each string is decrypted using a unique algorithm with
polymorphic code that implements different operations xor, addition,
subtraction, etc. In the examples below, the encrypted strings in Figure 13 are
built and decrypted from arguments on the stack.
Figure 13. BlackByte string obfuscation examples
Modified UPX Packer
In addition to string obfuscation, BlackByte samples are typically packed with
UPX. In BlackByte v1, all of the samples observed by ThreatLabz were packed with
the standard UPX packer and could be unpacked via the command-line parameter -d.
The early samples of BlackByte v2 were also packed with the standard UPX packer.
However, the most recent BlackByte samples (since March 2022) are packed with a
modified version of UPX. The names of the sections have been renamed from UPX0
and UPX1 to BB0 and BB1, respectively. Figure 14 shows an example BlackByte v2
sample with the modified UPX headers.
Figure 14. BlackByte v2 altered UPX header
Antivirus Detection
Due to BlackByte's anti-analysis features, polymorphic code, and heavy
obfuscation many antivirus products have very low detection rates. For example,
the BlackByte sample with the SHA256
534f5fbb7669803812781e43c30083e9197d03f97f0d860ae7d9a59c0484ace4 has an
antivirus detection rate of 4/61 at the time of publication.
Conclusion
BlackByte is a full-featured ransomware family operated by a threat group that
continues to breach organizations and demand large ransom amounts. The threat
group also performs double extortion attacks by stealing an organization's files
and leaking them online if the ransom is not paid. The ransomware code itself is
regularly updated to fix bugs, bypass security software, and hinder malware
analysis. The encryption algorithms have also been improved to be more secure
and prevent file recovery. This demonstrates that the threat group will likely
continue to improve the ransomware and remain a significant threat to
organizations.
Cloud Sandbox Detection
Zscaler's multilayered cloud security platform detects indicators at various
levels, as shown below:
Win64.Ransom.Blackbyte
Indicators of Compromise
IoC Type
Value
BlackByte v1 Packed Sample
1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
BlackByte v1 Packed Sample
388163c9ec1458c779849db891e17efb16a941ca598c4c3ac3a50a77086beb69
BlackByte v1 Unpacked Sample
44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550
BlackByte v1 Unpacked Sample
6f36a4a1364cfb063a0463d9e1287248700ccf1e0d8e280e034b02cf3db3c442
BlackByte v2 Packed Sample
ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa
BlackByte v2 Packed Sample
9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe
BlackByte v2 Packed Sample
e434ec347a8ea1f0712561bccf0153468a943e16d2cd792fbc72720bd0a8002e
BlackByte v1 Onion URL
hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad.]onion
BlackByte v2 Onion URL
hxxp://fyk4jl7jk6viteakzzrxntgzecnz4v6wxaefmbmtmcnscsl3tnwix6yd.]onion
BlackByte v2 Onion URL
hxxp://p5quu5ujzzswxv4nxyuhgg3fjj2vy2a3zmtcowalkip2temdfadanlyd.]onion
BlackByte v1 AES Key Seed URL
hxxps://185.93.6[.]31/mountain.png
References
https://redcanary.com/blog/blackbyte-ransomware/
Click to access 220211.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
https://www.bleepingcomputer.com/forums/t/755181/blackbyte-ransomware-blackbyte-support-topic/
*** This is a Security Bloggers Network syndicated blog from Blog Category Feed
authored by Javier Vicente. Read the original post at:
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
May 3, 2022May 3, 2022 Javier Vicente
* ← SOC 2 Compliance: More Qs and As with Audit Expert Liam Collins
* Joy Of Tech® ‘The Metaverse Land Grab’ →
TECHSTRONG TV
Click full-screen to enable volume control
Watch latest episodes and shows
UPCOMING WEBINARS
1.
2.
3.
4.
PODCAST
Listen to all of our podcasts
PRESS RELEASES
GOPLUS’S LATEST REPORT HIGHLIGHTS HOW BLOCKCHAIN COMMUNITIES ARE LEVERAGING
CRITICAL API SECURITY DATA TO MITIGATE WEB3 THREATS
C2A SECURITY’S EVSEC RISK MANAGEMENT AND AUTOMATION PLATFORM GAINS TRACTION IN
AUTOMOTIVE INDUSTRY AS COMPANIES SEEK TO EFFICIENTLY MEET REGULATORY
REQUIREMENTS
ZAMA RAISES $73M IN SERIES A LEAD BY MULTICOIN CAPITAL AND PROTOCOL LABS TO
COMMERCIALIZE FULLY HOMOMORPHIC ENCRYPTION
RSM US DEPLOYS STELLAR CYBER OPEN XDR PLATFORM TO SECURE CLIENTS
THREATHUNTER.AI HALTS HUNDREDS OF ATTACKS IN THE PAST 48 HOURS: COMBATING
RANSOMWARE AND NATION-STATE CYBER THREATS HEAD-ON
SUBSCRIBE TO OUR NEWSLETTERS
Get breaking news, free eBooks and upcoming events delivered to your inbox.
View Security Boulevard Privacy Policy
--------------------------------------------------------------------------------
MOST READ ON THE BOULEVARD
Choosing the Best Cybersecurity Prioritization Method for Your Organization
Why and How to Secure GenAI Investments From Day Zero
RansomHub Emerges in Rapidly Evolving Ransomware Landscape
Is Cloud Security Ready for a Pivot to Behavioral Detection & Response
Russian ‘WhisperGate’ Hacks: 5 More Indicted
An Introduction to Trackers and the Data They Collect
Frustration Trying to Opt-Out After the National Public Data Breach
Unify & Conquer: How Open XDR Streamlines Your Security Operations
Protecting NATO Secret and Foreign Government Information
Cyber Insurers Are Not Your Friend – Why a Warranty May Be a Better Option
INDUSTRY SPOTLIGHT
Analytics & Intelligence AppSec Cyberlaw Cybersecurity Data Privacy Data
Security Deep Fake and Other Social Engineering Tactics DevSecOps Editorial
Calendar Endpoint Featured Governance, Risk & Compliance Humor Identity &
Access Identity and Access Management Incident Response Industry
Spotlight Malware Most Read This Week Network Security News Popular
Post Ransomware Regulatory Compliance Securing the Edge Security at the
Edge Security Awareness Security Boulevard (Original) Security Operations Social
- Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat
Intelligence Threats & Breaches Zero-Trust
RUSSIAN ‘WHISPERGATE’ HACKS: 5 MORE INDICTED
September 6, 2024 Richi Jennings | 3 days ago 0
Cloud Security Cybersecurity Data Privacy Data
Security Endpoint Featured Industry Spotlight Mobile Security Network
Security News Security Boulevard (Original) Social - Facebook Social -
LinkedIn Social - X Spotlight
WHITE HOUSE WANTS TO TIGHTEN INTERNET ROUTING SECURITY
September 4, 2024 Jeffrey Burt | Sep 04 0
Application Security Cloud Security Cybersecurity Data Privacy Data
Security Deep Fake and Other Social Engineering Tactics DevOps DevSecOps Digital
Transformation Editorial Calendar Endpoint Featured Governance, Risk &
Compliance Humor Identity & Access Identity and Access Management Incident
Response Industry Spotlight Insider Threats Mobile Security Most Read This
Week News Popular Post Regulatory Compliance Securing the Edge Security at the
Edge Security Awareness Security Boulevard (Original) Security Challenges and
Opportunities of Remote Work Security Operations Social - Facebook Social -
LinkedIn Social - X Social Engineering Software Supply Chain
Security Spotlight Threats & Breaches Vulnerabilities Zero-Trust
YIKES, YUBIKEY VULNERABLE — ‘EUCLEAK’ FIDO FAIL?
September 4, 2024 Richi Jennings | Sep 04 0
TOP STORIES
Analytics & Intelligence CISO Suite CISO
Talk Cybersecurity Featured News Security Boulevard (Original) Social -
Facebook Social - LinkedIn Social - X
SECURITY BUDGET GROWTH SLOWS, BUT SPENDING REMAINS ELEVATED
September 9, 2024 Nathan Eddy | Yesterday 0
Cloud Security Cybersecurity Data Security Featured Incident
Response Malware Network Security News Security Boulevard (Original) Social -
Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat
Intelligence
THREAT ACTORS ABUSE RED TEAM TOOL MACROPACK TO DELIVER MALWARE
September 6, 2024 Jeffrey Burt | 3 days ago 0
Cloud Security Cybersecurity Data Security Featured Malware Network
Security News Security Boulevard (Original) Social - Facebook Social -
LinkedIn Social - X Spotlight Threat Intelligence Threats & Breaches
RANSOMHUB EMERGES IN RAPIDLY EVOLVING RANSOMWARE LANDSCAPE
September 5, 2024 Jeffrey Burt | 4 days ago 0
SECURITY HUMOR
RANDALL MUNROE’S XKCD ‘SLINGSHOTS’
DOWNLOAD FREE EBOOK
JOIN THE COMMUNITY
* Add your blog to Security Creators Network
* Write for Security Boulevard
* Bloggers Meetup and Awards
* Ask a Question
* Email: info@securityboulevard.com
USEFUL LINKS
* About
* Media Kit
* Sponsor Info
* Copyright
* TOS
* DMCA Compliance Statement
* Privacy Policy
RELATED SITES
* Techstrong Group
* Cloud Native Now
* DevOps.com
* Digital CxO
* Techstrong Research
* Techstrong TV
* Techstrong.tv Podcast
* DevOps Chat
* DevOps Dozen
* DevOps TV
*
*
*
*
*
*
*
Copyright © 2024 Techstrong Group Inc. All rights reserved.
SECURITY BOULEVARD ASKS FOR YOUR CONSENT TO USE YOUR PERSONAL DATA TO:
* perm_identity
Personalised advertising and content, advertising and content measurement,
audience research and services development
* devices
Store and/or access information on a device
expand_moreremove
Learn more
*
How can I change my choice?
*
What if I don't consent?
*
How does legitimate interest work?
*
Do I have to consent to everything?
Your personal data will be processed and information from your device (cookies,
unique identifiers, and other device data) may be stored by, accessed by and
shared with 136 TCF vendor(s) and 62 ad partner(s), or used specifically by this
site or app.
Some vendors may process your personal data on the basis of legitimate interest,
which you can object to by managing your options below. Look for a link at the
bottom of this page to manage or withdraw consent in privacy and cookie
settings.
Consent
Do not consent
Manage options
arrow_back
Data preferences
MANAGE YOUR DATA
You can choose how your personal data is used. Vendors want your permission to
do the following:
TCF vendors
help_outline
STORE AND/OR ACCESS INFORMATION ON A DEVICE
Cookies, device or similar online identifiers (e.g. login-based identifiers,
randomly assigned identifiers, network based identifiers) together with other
information (e.g. browser type and information, language, screen size, supported
technologies etc.) can be stored or read on your device to recognise it each
time it connects to an app or to a website, for one or several of the purposes
presented here.
View details
Consent (120 vendors)
USE LIMITED DATA TO SELECT ADVERTISING
Advertising presented to you on this service can be based on limited data, such
as the website or app you are using, your non-precise location, your device type
or which content you are (or have been) interacting with (for example, to limit
the number of times an ad is presented to you).
View details
Consent (69 vendors)Legitimate interest (32 vendors)help_outline
CREATE PROFILES FOR PERSONALISED ADVERTISING
Information about your activity on this service (such as forms you submit,
content you look at) can be stored and combined with other information about you
(for example, information from your previous activity on this service and other
websites or apps) or similar users. This is then used to build or improve a
profile about you (that might include possible interests and personal aspects).
Your profile can be used (also later) to present advertising that appears more
relevant based on your possible interests by this and other entities.
View details
Consent (95 vendors)
USE PROFILES TO SELECT PERSONALISED ADVERTISING
Advertising presented to you on this service can be based on your advertising
profiles, which can reflect your activity on this service or other websites or
apps (like the forms you submit, content you look at), possible interests and
personal aspects.
View details
Consent (91 vendors)
CREATE PROFILES TO PERSONALISE CONTENT
Information about your activity on this service (for instance, forms you submit,
non-advertising content you look at) can be stored and combined with other
information about you (such as your previous activity on this service or other
websites or apps) or similar users. This is then used to build or improve a
profile about you (which might for example include possible interests and
personal aspects). Your profile can be used (also later) to present content that
appears more relevant based on your possible interests, such as by adapting the
order in which content is shown to you, so that it is even easier for you to
find content that matches your interests.
View details
Consent (28 vendors)
USE PROFILES TO SELECT PERSONALISED CONTENT
Content presented to you on this service can be based on your content
personalisation profiles, which can reflect your activity on this or other
services (for instance, the forms you submit, content you look at), possible
interests and personal aspects. This can for example be used to adapt the order
in which content is shown to you, so that it is even easier for you to find
(non-advertising) content that matches your interests.
View details
Consent (23 vendors)
MEASURE ADVERTISING PERFORMANCE
Information regarding which advertising is presented to you and how you interact
with it can be used to determine how well an advert has worked for you or other
users and whether the goals of the advertising were reached. For instance,
whether you saw an ad, whether you clicked on it, whether it led you to buy a
product or visit a website, etc. This is very helpful to understand the
relevance of advertising campaigns.
View details
Consent (76 vendors)Legitimate interest (47 vendors)help_outline
MEASURE CONTENT PERFORMANCE
Information regarding which content is presented to you and how you interact
with it can be used to determine whether the (non-advertising) content e.g.
reached its intended audience and matched your interests. For instance, whether
you read an article, watch a video, listen to a podcast or look at a product
description, how long you spent on this service and the web pages you visit etc.
This is very helpful to understand the relevance of (non-advertising) content
that is shown to you.
View details
Consent (31 vendors)Legitimate interest (14 vendors)help_outline
UNDERSTAND AUDIENCES THROUGH STATISTICS OR COMBINATIONS OF DATA FROM DIFFERENT
SOURCES
Reports can be generated based on the combination of data sets (like user
profiles, statistics, market research, analytics data) regarding your
interactions and those of other users with advertising or (non-advertising)
content to identify common characteristics (for instance, to determine which
target audiences are more receptive to an ad campaign or to certain contents).
View details
Consent (57 vendors)Legitimate interest (22 vendors)help_outline
DEVELOP AND IMPROVE SERVICES
Information about your activity on this service, such as your interaction with
ads or content, can be very helpful to improve products and services and to
build new products and services based on user interactions, the type of
audience, etc. This specific purpose does not include the development or
improvement of user profiles and identifiers.
View details
Consent (66 vendors)Legitimate interest (38 vendors)help_outline
USE LIMITED DATA TO SELECT CONTENT
Content presented to you on this service can be based on limited data, such as
the website or app you are using, your non-precise location, your device type,
or which content you are (or have been) interacting with (for example, to limit
the number of times a video or an article is presented to you).
View details
Consent (12 vendors)Legitimate interest (3 vendors)help_outline
ENSURE SECURITY, PREVENT AND DETECT FRAUD, AND FIX ERRORS
help_outline
Your data can be used to monitor for and prevent unusual and possibly fraudulent
activity (for example, regarding advertising, ad clicks by bots), and ensure
systems and processes work properly and securely. It can also be used to correct
any problems you, the publisher or the advertiser may encounter in the delivery
of content and ads and in your interaction with them.
View details
DELIVER AND PRESENT ADVERTISING AND CONTENT
help_outline
Certain information (like an IP address or device capabilities) is used to
ensure the technical compatibility of the content or advertising, and to
facilitate the transmission of the content or ad to your device.
View details
SAVE AND COMMUNICATE PRIVACY CHOICES
help_outline
The choices you make regarding the purposes and entities listed in this notice
are saved and made available to those entities in the form of digital signals
(such as a string of characters). This is necessary in order to enable both this
service and those entities to respect such choices.
View details
MATCH AND COMBINE DATA FROM OTHER DATA SOURCES
help_outline
Information about your activity on this service may be matched and combined with
other information relating to you and originating from various sources (for
instance your activity on a separate online service, your use of a loyalty card
in-store, or your answers to a survey), in support of the purposes explained in
this notice.
View details
LINK DIFFERENT DEVICES
help_outline
In support of the purposes explained in this notice, your device might be
considered as likely linked to other devices that belong to you or your
household (for instance because you are logged in to the same service on both
your phone and your computer, or because you may use the same Internet
connection on both devices).
View details
IDENTIFY DEVICES BASED ON INFORMATION TRANSMITTED AUTOMATICALLY
help_outline
Your device might be distinguished from other devices based on information it
automatically sends when accessing the Internet (for instance, the IP address of
your Internet connection or the type of browser you are using) in support of the
purposes exposed in this notice.
View details
USE PRECISE GEOLOCATION DATA
With your acceptance, your precise location (within a radius of less than 500
metres) may be used in support of the purposes explained in this notice.
View details
Consent
Vendor preferences
Accept all
Confirm choices
arrow_back
Vendor preferences
CONFIRM OUR VENDORS
Vendors can use your data to provide services. Declining a vendor can stop them
from using the data you shared.
TCF vendors
help_outline
EXPONENTIAL INTERACTIVE, INC D/B/A VDX.TV
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Probabilistic identifiers,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
ROQ.AD GMBH
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, Privacy
choices, IP addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
INDEX EXCHANGE INC.
Cookie duration: 395 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Non-precise location data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
QUANTCAST
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
BEESWAXIO CORPORATION
Cookie duration: 395 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
SOVRN, INC.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
ADIKTEEV
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Non-precise
location data, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
RTB HOUSE S.A.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
THE UK TRADE DESK LTD
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
NEXXEN INC.
Cookie duration: 180 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
EPSILON
Cookie duration: 184 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
YAHOO EMEA LIMITED
Cookie duration: 397 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
ADVENTORI SAS
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Probabilistic identifiers,
Browsing and interaction data, Non-precise location data, User-provided data,
Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
TRIPLE LIFT, INC.
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Browsing and
interaction data, Non-precise location data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
XANDR, INC.
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Browsing and
interaction data, Non-precise location data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
NEORY GMBH
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Privacy policylaunch
Consent
NEXXEN GROUP LLC
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Non-precise location data, Privacy choices, IP
addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
NEURAL.ONE
Cookie duration: 365 (days).
Data collected and processed: Device characteristics, Probabilistic identifiers,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
ADITION (VIRTUAL MINDS GMBH)
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
ACTIVE AGENT (VIRTUAL MINDS GMBH)
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
TABOOLA EUROPE LIMITED
Cookie duration: 366 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
EQUATIV
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, Privacy
choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
ADFORM A/S
Cookie duration: 3650 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
MAGNITE, INC.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
RATEGAIN ADARA INC
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
View details | Storage details | Privacy policylaunch
Consent
SIFT MEDIA, INC
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Non-precise location data, IP addresses
more
View details | Privacy policylaunch
Consent
RAKUTEN MARKETING LLC
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
LUMEN RESEARCH LIMITED
Doesn't use cookies.
Data collected and processed: Device characteristics, Browsing and interaction
data, Non-precise location data, IP addresses
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
AMAZON AD SERVER
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
OPENX
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
YIELDLAB (VIRTUAL MINDS GMBH)
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
ROKU ADVERTISING SERVICES
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
NANO INTERACTIVE GROUP LTD.
Doesn't use cookies.
Data collected and processed: Device characteristics, Browsing and interaction
data, Non-precise location data
more
View details | Privacy policylaunch
Consent
SIMPLIFI HOLDINGS LLC
Cookie duration: 366 (days).
Data collected and processed: Device identifiers, Precise location data, IP
addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
PUBMATIC, INC
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
COMSCORE B.V.
Cookie duration: 720 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, User-provided data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
FLASHTALKING
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, Privacy choices, IP addresses,
Users’ profiles
more
View details | Privacy policylaunch
Consent
PULSEPOINT, INC.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics, IP
addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
SMAATO, INC.
Cookie duration: 21 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
SEMASIO GMBH
Cookie duration: 366 (days).
Data collected and processed: Device identifiers, Browsing and interaction data,
Privacy choices, IP addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
CRIMTAN HOLDINGS LIMITED
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
GENIUS SPORTS UK LIMITED
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
CRITEO SA
Cookie duration: 390 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, Privacy choices, IP addresses,
Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
ADLOOX SA
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
BLIS GLOBAL LIMITED
Cookie duration: 400 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
LOTAME SOLUTIONS, INC
Cookie duration: 274 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
LIVERAMP
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
GROUPM UK LIMITED
Cookie duration: 395 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, Privacy
choices, IP addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
LOOPME LIMITED
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
DYNATA LLC
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
ASK LOCALA
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Non-precise location data, Privacy choices, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
AZIRA
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Browsing and interaction data, Non-precise location data,
Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
DOUBLEVERIFY INC.
Doesn't use cookies.
Data collected and processed: Device characteristics, Probabilistic identifiers,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
BIDSWITCH GMBH
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, Privacy
choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
IPONWEB GMBH
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
NEXTROLL, INC.
Cookie duration: 183 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, User-provided data,
Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Privacy policylaunch
Consent
TEADS FRANCE SAS
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
STRÖER SSP GMBH (SSP)
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
OS DATA SOLUTIONS GMBH & CO. KG
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
PERMODO GMBH
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses, Users’ profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
PLATFORM161 B.V.
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
BASIS GLOBAL TECHNOLOGIES, INC.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Browsing and
interaction data, Non-precise location data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
SMADEX, S.L.U.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Non-precise location data, User-provided data,
Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
BOMBORA INC.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
EASYMEDIA GMBH
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
REMERGE GMBH
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
ADVANCED STORE GMBH
Cookie duration: 365 (days).
Data collected and processed: Device identifiers
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
MAGNITE CTV, INC.
Cookie duration: 366 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
DELTA PROJECTS AB
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
USEMAX ADVERTISEMENT (EMEGO GMBH)
Cookie duration: 365 (days).
Data collected and processed: IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
EMETRIQ GMBH
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
PUBLICIS MEDIA GMBH
Cookie duration: 1825 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
M.D. PRIMIS TECHNOLOGIES LTD.
Cookie duration: 25 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, User-provided data, Privacy choices, IP addresses
more
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
ONETAG LIMITED
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
CLOUD TECHNOLOGIES S.A.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Privacy policylaunch
Consent
SMARTOLOGY LIMITED
Doesn't use cookies.
Data collected and processed: IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
IMPROVE DIGITAL
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
ADOBE ADVERTISING CLOUD
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Authentication-derived
identifiers, Privacy choices, IP addresses
more
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
BANNERFLOW AB
Cookie duration: 366 (days).
Data collected and processed: Device characteristics, Non-precise location data,
Privacy choices, IP addresses
more
Cookie duration resets each session.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
TABMO SAS
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
INTEGRAL AD SCIENCE (INCORPORATING ADMANTX)
Doesn't use cookies.
Data collected and processed: Device characteristics, Browsing and interaction
data, Non-precise location data, Privacy choices, IP addresses
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
WIZALY
Cookie duration: 365 (days).
Data collected and processed: Device characteristics, Authentication-derived
identifiers, Browsing and interaction data, Non-precise location data, Privacy
choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
WEBORAMA
Cookie duration: 393 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
JIVOX CORPORATION
Cookie duration: 30 (days).
Data collected and processed: Device identifiers, Precise location data,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
VISTAR MEDIA EMEA BV
Doesn't use cookies.
Data collected and processed: Non-precise location data
more
View details | Privacy policylaunch
Consent
ON DEVICE RESEARCH LIMITED
Cookie duration: 30 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Browsing and interaction data, Non-precise location data,
User-provided data, IP addresses
more
View details | Storage details | Privacy policylaunch
Consent
ROCKABOX MEDIA LTD
Doesn't use cookies.
Data collected and processed: Device characteristics, Browsing and interaction
data, Non-precise location data, IP addresses
more
View details | Storage details | Privacy policylaunch
Legitimate interesthelp_outline
EXACTAG GMBH
Cookie duration: 180 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Privacy
choices, IP addresses
more
Cookie duration resets each session.
View details | Privacy policylaunch
Consent
CELTRA INC.
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, IP addresses
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
MAINADV SRL
Cookie duration: 30 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, User-provided data,
Privacy choices, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
GEMIUS SA
Cookie duration: 1825 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
THE KANTAR GROUP LIMITED
Cookie duration: 914 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
NIELSEN MEDIA RESEARCH LTD.
Cookie duration: 120 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
SOLOCAL SA
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
PIXALATE, INC.
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, IP addresses
more
View details | Storage details | Privacy policylaunch
Consent
ORACLE ADVERTISING
Cookie duration: 180 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
NUMBERLY
Cookie duration: 180 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
AUDIENCEPROJECT A/S
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
DEMANDBASE, INC.
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
EFFILIATION / EFFINITY
Cookie duration: 30 (days).
Data collected and processed: Device characteristics
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
ARRIVALIST CO.
Cookie duration: 365 (days).
Data collected and processed: Non-precise location data, IP addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
SEENTHIS AB
Doesn't use cookies.
Data collected and processed: Device characteristics, IP addresses
more
View details | Privacy policylaunch
COMMANDERS ACT
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, IP addresses
more
View details | Storage details | Privacy policylaunch
Consent
TRAVEL AUDIENCE GMBH
Cookie duration: 397 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, IP
addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
HUMAN
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Non-precise location data, IP addresses
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
ADLUDIO LTD.
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data
more
View details | Privacy policylaunch
Consent
BLENDEE SRL
Cookie duration: 366 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
INNOVID LLC
Cookie duration: 90 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Non-precise location data, Privacy choices, IP
addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
PAPIRFLY AS
Doesn't use cookies.
Data collected and processed: Device characteristics
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
NEUSTAR, INC., A TRANSUNION COMPANY
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Probabilistic identifiers, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
VERVE GROUP EUROPE GMBH
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Browsing and
interaction data, Non-precise location data, User-provided data, Privacy
choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
OTTO (GMBH & CO KG)
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Browsing and interaction data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
ADOBE AUDIENCE MANAGER, ADOBE EXPERIENCE PLATFORM
Cookie duration: 180 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
LOCALSENSOR B.V.
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Non-precise location data, Privacy choices, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
ONLINE SOLUTION
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, User-provided data, Privacy choices, IP addresses,
Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
RELAY42 NETHERLANDS B.V.
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, User-provided data,
Privacy choices, IP addresses, Users’ profiles
more
View details | Storage details | Privacy policylaunch
Consent
GP ONE GMBH
Cookie duration: Uses session cookies.
Data collected and processed: Device characteristics, Browsing and interaction
data, Non-precise location data, User-provided data, Privacy choices, IP
addresses
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
LMI, INC.
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data,
User-provided data, Privacy choices, IP addresses, Users’ profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
THE MEDIAGRID INC.
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Device characteristics,
Precise location data, Probabilistic identifiers, Browsing and interaction data,
Non-precise location data, Privacy choices, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
Consent
MINDTAKE RESEARCH GMBH
Cookie duration: 180 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, IP addresses, Users’
profiles
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
CINT AB
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Privacy choices, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
GOOGLE ADVERTISING PRODUCTS
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
GFK GMBH
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, User-provided data, Privacy choices, IP addresses, Users’
profiles
more
Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
REVJET
Cookie duration: 365 (days).
Data collected and processed: Device identifiers, Non-precise location data,
Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
PROTECTED MEDIA LTD
Doesn't use cookies.
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, IP addresses
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
CLINCH LABS LTD
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Probabilistic identifiers, Browsing and interaction data, Non-precise location
data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
ORACLE DATA CLOUD - MOAT
Doesn't use cookies.
Data collected and processed: Non-precise location data, IP addresses
more
View details | Privacy policylaunch
Legitimate interesthelp_outline
HEARTS AND SCIENCE MÜNCHEN GMBH
Cookie duration: 60 (days).
Data collected and processed: IP addresses
more
Cookie duration resets each session.
View details | Privacy policylaunch
Consent
AMAZON ADVERTISING
Cookie duration: 396 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, Privacy choices, IP addresses, Users’ profiles
more
Cookie duration resets each session. Uses other forms of storage.
View details | Storage details | Privacy policylaunch
Consent
MOLOCO, INC.
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Non-precise location data, IP addresses
more
Cookie duration resets each session. Uses other forms of storage.
View details | Privacy policylaunch
ConsentLegitimate interesthelp_outline
ADTRIBA GMBH
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Browsing and interaction data, Non-precise
location data, Privacy choices, IP addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
OBJECTIVE PARTNERS BV
Cookie duration: 90 (days).
Data collected and processed: Device identifiers
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
ENSIGHTEN
Cookie duration: 1825 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, Privacy choices, IP addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Legitimate interesthelp_outline
EBAY INC
Cookie duration: 90 (days).
Data collected and processed: Device characteristics, Privacy choices, IP
addresses
more
View details | Storage details | Privacy policylaunch
Consent
METRIXLAB NEDERLAND B.V.
Cookie duration: 730 (days).
Data collected and processed: Device identifiers, Device characteristics,
Browsing and interaction data, User-provided data, IP addresses
more
Uses other forms of storage.
View details | Privacy policylaunch
Consent
HURRA COMMUNICATIONS GMBH
Cookie duration: 366 (days).
Data collected and processed: Device identifiers, Device characteristics,
Authentication-derived identifiers, Precise location data, Probabilistic
identifiers, Browsing and interaction data, Non-precise location data, IP
addresses
more
Cookie duration resets each session.
View details | Storage details | Privacy policylaunch
Consent
Ad partners
help_outline
AKAMAI
Privacy policylaunch
Consent
META
Privacy policylaunch
Consent
AUNICA
Privacy policylaunch
Consent
BOOKING.COM
Privacy policylaunch
Consent
C3 METRICS
Privacy policylaunch
Consent
IBM
Privacy policylaunch
Consent
EVIDON
Privacy policylaunch
Consent
ADACADO
Privacy policylaunch
Consent
INTELLIAD
Privacy policylaunch
Consent
DSTILLERY
Privacy policylaunch
Consent
MEDIAMATH
Privacy policylaunch
Consent
ZMS
Privacy policylaunch
Consent
OMNICOM MEDIA GROUP
Privacy policylaunch
Consent
RESONATE
Privacy policylaunch
Consent
SOJERN
Privacy policylaunch
Consent
TRADEDOUBLER AB
Privacy policylaunch
Consent
TRUSTARC
Privacy policylaunch
Consent
TRUEFFECT
Privacy policylaunch
Consent
TRAVEL DATA COLLECTIVE
Privacy policylaunch
Consent
ADVOLUTION.CONTROL
Privacy policylaunch
Consent
LIFESTREET
Privacy policylaunch
Consent
ADMAXIM
Privacy policylaunch
Consent
BATCH MEDIA
Privacy policylaunch
Consent
VODAFONE GMBH
Privacy policylaunch
Consent
MAGNITE
Privacy policylaunch
Consent
SCENESTEALER
Privacy policylaunch
Consent
NETQUEST
Privacy policylaunch
Consent
MANAGE.COM
Privacy policylaunch
Consent
CLOUDFLARE
Privacy policylaunch
Consent
SALESFORCE DMP
Privacy policylaunch
Consent
NETFLIX
Privacy policylaunch
Consent
EBUILDERS
Privacy policylaunch
Consent
APPLOVIN CORP.
Privacy policylaunch
Consent
FRACTIONAL MEDIA
Privacy policylaunch
Consent
RACKSPACE
Privacy policylaunch
Consent
MSI-ACI
Privacy policylaunch
Consent
ADMETRICS
Privacy policylaunch
Consent
NAVEGG
Privacy policylaunch
Consent
ADMEDO
Privacy policylaunch
Consent
KOCHAVA
Privacy policylaunch
Consent
MOBITRANS
Privacy policylaunch
Consent
ADEX
Privacy policylaunch
Consent
IMPACT
Privacy policylaunch
Consent
SPOTAD
Privacy policylaunch
Consent
AARKI
Privacy policylaunch
Consent
SFR
Privacy policylaunch
Consent
CABLATO
Privacy policylaunch
Consent
WAYSTACK
Privacy policylaunch
Consent
TRESENSA
Privacy policylaunch
Consent
GSKINNER
Privacy policylaunch
Consent
CUBED
Privacy policylaunch
Consent
OPTOMATON
Privacy policylaunch
Consent
ANALIGHTS
Privacy policylaunch
Consent
DENTSU AEGIS NETWORK
Privacy policylaunch
Consent
DIGISEG
Privacy policylaunch
Consent
HAENSEL AMS
Privacy policylaunch
Consent
BDSK HANDELS GMBH & CO. KG
Privacy policylaunch
Consent
MARKETING SCIENCE CONSULTING GROUP, INC.
Privacy policylaunch
Consent
DENTSU
Privacy policylaunch
Consent
KOBLER
Privacy policylaunch
Consent
WIDESPACE
Privacy policylaunch
Consent
VIMEO
Privacy policylaunch
Consent
Accept all
Confirm choices
Close
Application Security Check Up
Step 1 of 2
50%
Does someone in your organization write software?(Required)
Yes
No
What portion of your cyber risk is Application Security (AppSec)? (Select
one)(Required)
We over-focus on AppSec
We focus on AppSec to match the risk
We under-focus on AppSec
What are the biggest challenges you face implementing a robust AppSec strategy?
(Select all that apply)
Lack of budget
Insufficient skilled personnel
Complexity of integrating security into the development lifecycle
Resistance from development teams
Keeping up with evolving security threats
Lack of executive buy-in
Other (please specify)
Other
Which DevSecOps practices are widely used for actively developed projects (not
legacy) (Select all that apply):(Required)
Automated unit and functional tests for quality run in the pipeline with merge
blocking
Automated application security testing (AST) in development and (SAST/IAST) runs
in the pipeline
Automated AST tools to find vulnerabilities in the code you import (SCA) run in
the pipeline
Merge blocking at current policy level for AST checks
Secrets management so no secrets stored in source code repositories
How do you assess and mitigate risk of For NON actively developed products
(legacy) (Select all that apply):
In-production scans using DAST products like Qualys, Nessus, etc.
Periodic penetration testing
Periodic running of AST tools
Manual code reviews by security specialists
Use of third-party security assessment services
No assessment or mitigation effort is happening
How do you resolve the security issues found? (Select all that apply):(Required)
Findings are manually triaged
Findings are communicated to engineering via mostly manual processes
Finding above a certain severity automatically populate engineering backlogs
Service level agreements (SLAs) are enforced based on severity
An exception process exists to allow the business to accept risk
The exception process is rarely used and must be renewed periodically
Which best describes security training for your developers? (Select all that
apply)(Required)
Monthly
Quarterly
Annually
As part of onboarding
Just-in-time via integration with AST tools when a vulnerability is found
No formal training provided
View results
Δ
✓
Danke für das Teilen!
AddToAny
Mehr…
Notifications
previousnextslideshow
We'd like to show you notifications for the latest news and updates.
AllowCancel