A Closer Look At BlackMagic Ransomware
Blackmagic ransomware group uses a 64-bit DLL file with a single function that is responsible for executing all the main functionality of BlackMagic ransomware.
Upon execution, It calls “sleep()” function multiple times to evade sandbox detection, kills specific processes using taskill, adds a registry key for disabling the task manager, and fetches the victim machines’ IP addresses utilizing the ipconfig utility.
Once the encryption of the files is complete and the “ransom note” is dropped, It creates a .bat file named “next.bat” and performs various functions like deleting traces, kills some processes, and finally restart the system while also deleting itself.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe