New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Research: The Security Tradeoffs Behind AI Tooling
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

A Closer Look At BlackMagic Ransomware

December 12, 2022

Blackmagic ransomware group uses a 64-bit DLL file with a single function that is responsible for executing all the main functionality of BlackMagic ransomware. Upon execution, It calls "sleep()" function multiple times to evade sandbox detection, kills specific processes using taskill, adds a registry key for disabling the task manager, and fetches the victim machines' IP addresses utilizing the ipconfig utility. Once the encryption of the files is complete and the "ransom note" is dropped, It creates a .bat file named "next.bat" and performs various functions like deleting traces, kills some processes, and finally restart the system while also deleting itself.

Featured Resources

View More Resources
CVE-2026-32196:  One-Click RCE via Windows Admin Center Control Flow Hijacking
blog

CVE-2026-32196:  One-Click RCE via Windows Admin Center Control Flow Hijacking

Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security ResearcherRuben Enkaoua, Security Researcher Cymulate Research Labs identified a set of

Read More
Cymulate Stories: A Fireside Chat with Morgan Street Holdings
Webinar

Cymulate Stories: A Fireside Chat with Morgan Street Holdings

Many organizations still manage cyber risk using reactive security practices that struggle to keep pace with today’s threat landscape. As

Watch Now
The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape 
blog

The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape 

AI tools shipped fast - but weak sandboxing left escape paths, exposing systems to data access, abuse, and full compromise.

Read More