BlackByte Website Header Banner

Bridewell and Group-IB Uncover Possible BlackByte Victim Data

Published 17 May 2023

As part of ongoing research and monitoring activities into prominent ransomware groups, Bridewell Cyber Threat Intelligence (CI) identified an exposed server hosted in Russia that appeared to host stolen data belonging to victims of the ransomware group BlackByte.

The server contained 38 subdirectories named after organisations across the globe. A number of these organisations had not been posted to the BlackByte data leak site indicating that they have either paid a ransom or are not yet aware of a possible compromise. We worked alongside Group-IB to retrieve the datasets and notify possible victims.

Who is BlackByte?

BlackByte is a Ransomware-as-a-Service (RaaS) group that was first identified in July 2021. In February 2022, the FBI released a joint cyber security advisory stating that the group and its affiliates had targeted at least three critical infrastructure sectors in the U.S. The ransomware group and its affiliates have infected victims all over the world. Since inception, the group has published over 180 victims to their data leak site, with the most recent victim posted on 5th October 2023. BlackByte is considered part of the big game ransomware groups, which are known to target large high-profile targets, encrypting both physical Windows and virtualised systems before threatening to publicly release exfiltrated internal data.

Figure 1. Black Byte Data Leak Site

Figure 1. Black Byte Data Leak Site


Whilst conducting research, Bridewell’s Senior Threat Intelligence Analyst, Joshua Penny, identified a server hosted in St. Petersburg, Russia, that appeared to contain a large dataset of directories exposed to the open internet.

Figure 2. Location of exposed server

Figure 2. Location of exposed server

We assessed that this is likely an operational security failure by the owner/ operators of the server. The directory names were named after what appeared to be organisations around the globe. After analysing these directories, Bridewell and Group-IB were able to link a large portion of the organisations to the Data Leak Site for the ransomware group BlackByte. The open server contained 37 directories, with 19 named after organisations posted to the BlackByte data leak site between January and September 2023. 15 subdirectories were named after organisations not posted. The organisations are located in the US, Turkey, Germany and Denmark. It is currently assessed with moderate confidence that these organisations could be victims of the BlackByte ransomware group and either paid the ransom or are potentially unaware of any compromise.

Figure 3. Open Directory mapping to BlackByte Data Leak Site.

Figure 3. Open Directory mapping to BlackByte Data Leak Site.


Bridewell and Group-IB specialists acquired the dataset to allow organisations to verify the plethora of archive files contained within the open directory. All files were compressed .zip files named “Archive1”, “Archive 2”, etc. with each file approximately 1 GB in size. 

  • Total number of files: 140,135.
  • Total Directory size: 1.2TB

Action Taken

Bridewell and Group-IB notified the organisations not listed on the BlackByte DLS to ensure that they could verify the data and conduct any necessary remedial action. Bridewell continues to track infrastructure such as this server potentially linked to the BlackByte group for our customers.

We have withheld the IP address of the server hosting the open directory including additional potentially related infrastructure due to the sensitivities and confidential nature of the information. We do not wish to draw further attention to the dataset. Additional findings can be shared with other security professionals through trusted channels.

Current Status of BlackByte

Interestingly, the BlackByte data leak site is currently down and inactive, only one month after posting their latest victim. It is yet to be seen whether BlackByte will return with a new DLS with the intention of publicising the other organisations identified in this open directory as they have rebranded multiple times previously. Bridewell and Group-IB continue to monitor BlackByte’s activity and possible associated infrastructure



Joshua Penny

Senior Threat Intelligence Analyst