Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

A Closer Look At BlackMagic Ransomware

December 12, 2022

Blackmagic ransomware group uses a 64-bit DLL file with a single function that is responsible for executing all the main functionality of BlackMagic ransomware. Upon execution, It calls "sleep()" function multiple times to evade sandbox detection, kills specific processes using taskill, adds a registry key for disabling the task manager, and fetches the victim machines' IP addresses utilizing the ipconfig utility. Once the encryption of the files is complete and the "ransom note" is dropped, It creates a .bat file named "next.bat" and performs various functions like deleting traces, kills some processes, and finally restart the system while also deleting itself.

Featured Resources

View More Resources
Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID 
blog

Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID 

Identity is the new perimeter. The move to the cloud and remote work creates new security boundaries based on users and services operating across cloud and hybrid environments, making

Read More
New Cymulate WAF Rules: Turn Validation Gaps Into Actionable Defense 
blog

New Cymulate WAF Rules: Turn Validation Gaps Into Actionable Defense 

Yahav Levin, Research Team LeadIdan Sherman, Infosec Researcher Modern web applications are constantly exposed to threats such as SQL injection,

Read More
From Vulnerability to Validation
Demo

From Vulnerability to Validation

See how Cymulate connects vulnerabilities to real attack scenarios to validate what’s actually exploitable.

Learn More