Hot glare of the spotlight doesn’t slow BlackByte ransomware gang

Crew's raids continue worldwide, Talos team warns

The US government's alert three months ago warning businesses and government agencies about the threat of BlackByte has apparently done little to slow down the ransomware group's activities.

Since March, the group, and other gangs using its malware, have continued to attack targets around the world, redesigning their website from which they leak data stolen from organizations, and snaring fresh victims, according to analysts at Talos, Cisco Systems' threat intelligence group.

"The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam," the threat hunters noted in a write-up Wednesday. "Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory."

That joint release [PDF] by the FBI and US Secret Service in February noted BlackByte's reach was international, and stated that since November 2021, the gang had compromised entities in at least three critical infrastructure sectors – government facilities, financial, and food and agriculture – in the United States.

The Talos researchers reckon BlackByte is one of what they call the "big game ransomware groups," those that target large and high-profile organizations by not only exfiltrating their data but also threatening to publicly leak it on dark-web websites if the marks don't pay the demanded ransom. The crew also runs a Tor-hidden .onion auction site where they sell stolen data, according to Unit42, Palo Alto Networks' threat hunting unit.

BlackByte appeared on the scene last summer and quickly made a name for itself among other well-known groups, such as REvil and Conti, by targeting entities in the United States and Europe in industry sectors like healthcare, energy, financial services, and manufacturing. In February, the group attacked a network of the San Francisco 49ers, encrypting data and leaking some files they claimed were stolen from the American football team.

ransomware attaack

Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware


Similar to some crews slinging ransomware like Lockbit 2.0, BlackByte avoids targeting systems that use Russian and other Eastern European languages, according to Unit42,

The group uses its ransomware for its own direct gain, and also makes it available to affiliates via a ransomware-as-a-service (RaaS) model. It ran into a challenge in October when cybersecurity vendor Trustwave released software that allowed BlackByte victims to decrypt their data for free. At the time, Trustwave researchers noted that BlackByte's ransomware was more rudimentary than that of other extortionists.

"Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES," Team Trustwave wrote. "To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files."

The cybercrooks apparently rebounded, to the point where the FBI and Secret Service in their alert outlined BlackByte's techniques and detailed a long list of indicators of compromise (IoC).

In an April blog post, Unit42 noted the gang's aggressive nature, including a 300 percent quarter-over-quarter increase in the final three months of 2021 in the number of attacks associated with its ransomware.

Due to the high-profile nature and steady stream of BlackByte attacks identified globally in early 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations

"BlackByte ransomware operators have been active since at least July 2021," the researchers wrote. "Due to the high-profile nature and steady stream of BlackByte attacks identified globally in early 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations."

The Unit42 report echoes what the Talos researchers are seeing. The gang and its affiliates use phishing emails or a known ProxyShell vulnerability in unpatched Microsoft Exchange Servers – or flaws in vulnerable versions of SonicWall's VPN – to gain access into a system, according to Talos.

Once in, the bad actors install the AnyDesk remote management software to help them take control of Windows boxes, move laterally through the network, and escalate privileges.

"BlackByte seems to have a preference for this tool and often uses typical living-off-the-land binaries (LoLBins) besides other publicly available commercial and non-commercial software like "netscanold' or 'psexec'," the Talos researchers wrote. "These tools are also often used by Administrators for legitimate tasks, so it can be difficult to detect them as a malicious threat."

Executing the ransomware itself "is the last step once they are done with lateral movement and make themselves persistent in the network by adding additional admin accounts," they wrote.

About 17 hours after the ransomware infection process starts, the compromised systems reboot and the ransomware note lackByteRestore.txt is displayed in Notepad.

BlackByte's persistence comes as the ransomware space continues to evolve. Kaspersky earlier this month noted a few trends in the field, including threat groups looking to become even more adaptable by developing cross-platform ransomware that can run on multiple architectures and operating systems. In addition, the ransomware ecosystem is becoming more industrialized, with ransomware tool kits being continuously improved to make data exfiltration easier and faster, and make rebranding tools simpler.

Gangs also are more likely to take sides in geopolitical conflicts, such as the ongoing invasion of Ukraine by Russia. ®

Broader topics

Other stories you might like

  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • Cisco compresses Catalyst switches to compact size
    Fanless fun for the whole family (if the supply chain functions)

    Cisco has shrunk its Catalyst 9200 switches into three compact models.

    Switchzilla reckons they exercise the newfound freedom to undertake remote work by letting organizations squeeze a proper enterprise switch into a wider variety of smaller and more exotic places.

    The smallest of the models measures 4.4cm x 26.9cm x 16.5cm, and the other two add a little depth to emerge at 4.4cm x 26.9cm x 24.4cm. All are fanless, leading Cisco to suggest you bolt them under desks, nail them to walls, or even slide one into a home office.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading

Biting the hand that feeds IT © 1998–2022