A Closer Look At BlackMagic Ransomware
Blackmagic ransomware group uses a 64-bit DLL file with a single function that is responsible for executing all the main functionality of BlackMagic ransomware.
Upon execution, It calls "sleep()" function multiple times to evade sandbox detection, kills specific processes using taskill, adds a registry key for disabling the task manager, and fetches the victim machines' IP addresses utilizing the ipconfig utility.
Once the encryption of the files is complete and the "ransom note" is dropped, It creates a .bat file named "next.bat" and performs various functions like deleting traces, kills some processes, and finally restart the system while also deleting itself.
Featured Resources
blog
How Cymulate Supports Hong Kong's 2025 Protection of Critical Infrastructure Ordinance
In March 2025, Hong Kong's Protection of Critical Infrastructure (Computer System) Ordinance was enacted and will go into effect in
blog
Reducing Attack Surface with Exposure Management and Attack Path Discovery
Key Takeaways Every new endpoint, cloud workload and third-party connection expands an organization’s attack surface. In simple terms, this
Report
Strategic Roadmap for Continuous Threat Exposure Management
This Gartner® report guides CISOs from traditional vulnerability management to a dynamic CTEM program.