BlackByte first launched its operation in July of 2021, breaching corporate networks to steal data and encrypt devices similar to other ransomware variants such as Lockbit 2.0. Since at least August 2021, the manufacturing, wholesale, retail, and legal services industries have been impacted by ransomware as a service (Raas). This ransomware operation had disappeared for a while but has now returned in 2022 with techniques utilized by LockBit and promoting its updated features such as their new data leak site. The group has been known to use phishing emails or exploit unpatched ProxyShell vulnerability in Microsoft Exchange Servers to gain the initial access into a system. The ransomware also tries to discourage victims from using the public decryptor, adding a warning message on their site and in ransom notes.