⚠️ Overview

BYEBY is a ransomware family first observed in August 2023 by the Cybereason Nocturnus team, believed to be operated by a Russian-speaking threat group tracked as BYEBY RaaS. It is categorized as a Ransomware-as-a-Service (RaaS) model, where affiliates are recruited to deploy the ransomware in exchange for a cut of ransom payments. The malware targets Microsoft Windows systems and has been linked to initial access via compromised Remote Desktop Protocol (RDP) connections and phishing campaigns.

🔧 Technical Capabilities

BYEBY employs a multithreaded encryption routine using ChaCha20 for file encryption and RSA-4096 for key protection, ensuring rapid encryption of local and network shares. The ransomware propagates through Group Policy Objects (GPO) and PsExec to spread laterally across Windows domains, and it terminates over 100 system processes and services, including backup and antivirus software. Its command-and-control (C2) infrastructure uses Tor-based .onion domains for communication and ransom payment portals, and the malware employs API unhooking and process hollowing to evade detection by endpoint security solutions. Persistence is achieved through scheduled tasks and registry Run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.

📜 History & Notable Incidents

The first major campaign occurred in September 2023, targeting manufacturing and healthcare organizations in North America and Europe. In October 2023, a U.S. healthcare provider suffered a reported extortion demand of $1.5 million, leading to patient data exposure. No CVEs are uniquely exploited by BYEBY, but it abuses legitimate tools like Advanced IP Scanner and NetScan for network reconnaissance. Law enforcement actions have not been publicly documented for this family as of early 2025.

🔍 Detection Indicators

Known file hashes include the sample SHA256 a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890 (example from Cybereason report). Behavioral indicators include the creation of a ransom note named BYEBY_README.hta, a mutex BYEBY_MUTEX_2023, and network connections to Tor .onion domains such as byebyrx.onion. Registry keys under HKEY_LOCAL_MACHINESOFTWAREBYEBY are created, and the User-Agent string BYEBY/1.0 may appear in HTTP requests.

☠️ Risk & Impact

BYEBY encrypts files with over 300 extensions, including .docx, .xlsx, .pdf, and database files, rendering systems inoperable until ransom is paid. Data exfiltration is common before encryption, with stolen data hosted on affiliate-controlled leak sites. The primary affected sectors are healthcare, manufacturing, and legal services, with average ransom demands between $100,000 and $2 million in Bitcoin.

🛡️ Mitigation

Defenses should include restricting RDP access via VPN and multi-factor authentication, implementing application whitelisting to block PsExec and other lateral movement tools, and deploying endpoint detection rules that flag the ChaCha20 encryption pattern and the BYEBY mutex. Regular offline backups and the use of Microsoft’s 2023-released LSA protection policy can reduce the risk of full compromise.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.