A sophisticated new ransomware strain dubbed “Ebyte” targeting Windows systems across North America and Europe.
The ransomware has compromised thousands of systems since its detection three weeks ago, utilizing advanced encryption tactics that have challenged security experts.
Initial infection vectors primarily involve phishing emails containing malicious Office documents that exploit a recent Windows vulnerability (CVE-2025-0142).
These phishing attempts mimic legitimate business communications with unusually high success rates.
The messages typically appear as invoice reminders or shipping notifications from trusted business partners, containing documents that trigger the exploit when opened.
Once executed, the malware establishes persistence through registry modifications and scheduled tasks before disabling security tools and backup solutions.
The ransomware performs a thorough system scan before encryption, prioritizing business-critical files like databases and financial records.
This targeted approach suggests the attackers have specific knowledge of business operations to maximize potential ransom payments.
The malware has an unusual capability to identify and target network shares even when they’re not actively mapped to the infected system.
Initial forensic analysis by researchers at Cyfirma indicates that Ebyte may be linked to the threat actor group known as BlackShadow, previously responsible for attacks on healthcare and manufacturing sectors.
.webp)
The sophistication of the code and infrastructure suggests state-sponsored involvement, though attribution remains preliminary at this stage of investigation.
Analysis of Encryption Methodology
Ebyte implements a sophisticated hybrid encryption system combining ChaCha20 for file encryption with a unique 256-bit key for each victim.
This key is then encrypted using a 4096-bit RSA algorithm, making decryption without the ransom key virtually impossible.
The malware also incorporates anti-analysis features that detect debugging environments and virtual machines, terminating execution if such environments are detected.
The core encryption function reveals advanced obfuscation techniques designed to evade static analysis tools. When examining the decompiled code, researchers identified the primary encryption routine:
def encrypt_file(file_path, encryption_key):
nonce = os.urandom(12)
cipher = ChaCha20.new(key=encryption_key, nonce=nonce)
with open(file_path, ‘rb’) as file:
plaintext = file. Read()
ciphertext = cipher. Encrypt(plaintext)
with open(file_path + ‘.ebyte’, ‘wb’) as encrypted_file:
encrypted_file.write(nonce + ciphertext)
secure_delete(file_path)
.webp)
What makes Ebyte particularly concerning is its implementation of a secure key management system that generates unique encryption keys for each file.
These keys are then encrypted and stored in a custom file structure, preventing the development of universal decryption tools even if researchers manage to recover individual keys from memory.
The ransomware also attempts to delete shadow copies and disable Windows recovery features.
Ransom demands range from $50,000 to $2 million in Monero cryptocurrency, with victims directed to a Tor-based payment portal.
.webp)
The ransom note also threatens to publish exfiltrated data if payment isn’t received within 72 hours, indicating the attackers employ a double-extortion strategy.
Security experts recommend keeping systems patched, implementing email filtering, maintaining offline backups, and deploying advanced endpoint protection to mitigate this emerging threat.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
