Hot glare of the spotlight doesn’t slow BlackByte ransomware gang

Crew's raids continue worldwide, Talos team warns

The US government's alert three months ago warning businesses and government agencies about the threat of BlackByte has apparently done little to slow down the ransomware group's activities.

Since March, the group, and other gangs using its malware, have continued to attack targets around the world, redesigning their website from which they leak data stolen from organizations, and snaring fresh victims, according to analysts at Talos, Cisco Systems' threat intelligence group.

"The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam," the threat hunters noted in a write-up Wednesday. "Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory."

That joint release [PDF] by the FBI and US Secret Service in February noted BlackByte's reach was international, and stated that since November 2021, the gang had compromised entities in at least three critical infrastructure sectors – government facilities, financial, and food and agriculture – in the United States.

The Talos researchers reckon BlackByte is one of what they call the "big game ransomware groups," those that target large and high-profile organizations by not only exfiltrating their data but also threatening to publicly leak it on dark-web websites if the marks don't pay the demanded ransom. The crew also runs a Tor-hidden .onion auction site where they sell stolen data, according to Unit42, Palo Alto Networks' threat hunting unit.

BlackByte appeared on the scene last summer and quickly made a name for itself among other well-known groups, such as REvil and Conti, by targeting entities in the United States and Europe in industry sectors like healthcare, energy, financial services, and manufacturing. In February, the group attacked a network of the San Francisco 49ers, encrypting data and leaking some files they claimed were stolen from the American football team.

ransomware attaack

Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware


Similar to some crews slinging ransomware like Lockbit 2.0, BlackByte avoids targeting systems that use Russian and other Eastern European languages, according to Unit42,

The group uses its ransomware for its own direct gain, and also makes it available to affiliates via a ransomware-as-a-service (RaaS) model. It ran into a challenge in October when cybersecurity vendor Trustwave released software that allowed BlackByte victims to decrypt their data for free. At the time, Trustwave researchers noted that BlackByte's ransomware was more rudimentary than that of other extortionists.

"Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES," Team Trustwave wrote. "To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files."

The cybercrooks apparently rebounded, to the point where the FBI and Secret Service in their alert outlined BlackByte's techniques and detailed a long list of indicators of compromise (IoC).

In an April blog post, Unit42 noted the gang's aggressive nature, including a 300 percent quarter-over-quarter increase in the final three months of 2021 in the number of attacks associated with its ransomware.

Due to the high-profile nature and steady stream of BlackByte attacks identified globally in early 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations

"BlackByte ransomware operators have been active since at least July 2021," the researchers wrote. "Due to the high-profile nature and steady stream of BlackByte attacks identified globally in early 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations."

The Unit42 report echoes what the Talos researchers are seeing. The gang and its affiliates use phishing emails or a known ProxyShell vulnerability in unpatched Microsoft Exchange Servers – or flaws in vulnerable versions of SonicWall's VPN – to gain access into a system, according to Talos.

Once in, the bad actors install the AnyDesk remote management software to help them take control of Windows boxes, move laterally through the network, and escalate privileges.

"BlackByte seems to have a preference for this tool and often uses typical living-off-the-land binaries (LoLBins) besides other publicly available commercial and non-commercial software like "netscanold' or 'psexec'," the Talos researchers wrote. "These tools are also often used by Administrators for legitimate tasks, so it can be difficult to detect them as a malicious threat."

Executing the ransomware itself "is the last step once they are done with lateral movement and make themselves persistent in the network by adding additional admin accounts," they wrote.

About 17 hours after the ransomware infection process starts, the compromised systems reboot and the ransomware note lackByteRestore.txt is displayed in Notepad.

BlackByte's persistence comes as the ransomware space continues to evolve. Kaspersky earlier this month noted a few trends in the field, including threat groups looking to become even more adaptable by developing cross-platform ransomware that can run on multiple architectures and operating systems. In addition, the ransomware ecosystem is becoming more industrialized, with ransomware tool kits being continuously improved to make data exfiltration easier and faster, and make rebranding tools simpler.

Gangs also are more likely to take sides in geopolitical conflicts, such as the ongoing invasion of Ukraine by Russia. ®

Broader topics

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading

Biting the hand that feeds IT © 1998–2022