Ransomware threats have been on the rise with an update in several technologies. Many threat actor groups have been providing RaaS based ransomware services to cybercriminals. The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) posted that as of November 2021, the BlackByte Ransomware has compromised several entities in the U.S Critical infrastructure sectors including government facilities, financial, food and agriculture. BlackByte is a RaaS (Ransomware as a Service) based ransomware group that targets encrypting files on compromised windows host systems and virtual servers.
BlackByte ransomware leaves a ransom note which contains a .onion site on all the encrypted directories. This .onion site provides the instructions for paying the ransom for the decryption key.
Certain victims reported a Microsoft Exchange Server vulnerability for gaining access inside the network. After infiltrating, they deploy several tools for moving inside the network and escalate privileges in order to encrypt files.
Unlike the old BlackByte versions, this new version doesn’t communicate with any IP address for encrypting the files. The local file directories C:\Windows\System32 and C:\Windows\ are used to create processes inside the victim machine.
IOC for BlackByte
The FBI has released certain list of suspicious files that are associated with BlackByte Ransomware.
Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium
Additional files were found on
|%AppData%\BB.ico||This file is the icon given to files with a .blackbyte file extension.|
|%AppData%\BlackByteRestore.txt||This file is the ransom note that is left in every folder where files are encrypted.|
|%HOMEPATH%\complex.exe||This file is the ransomware executable.|
|%AppData%\dummy||This file is a text file containing a list of machine names that can be reached on the network.|
|Users\tree.dll||This file contains the message “Your HACKED by BlackByte team. Connect us to restore your system.” (SIC)|
There were also scheduled tasks at Windows/System32/Tasks
|C:\Users\<username>\complex.exe -single <SHA256>.||This command appears to launch the ransomware.|
|C:\Windows\System32\cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll.||This command attempts to open tree.dll in wordpad 75 times and then prints the contents.|
How to Mitigate?
- Regular Backup of all data and having password protected copies offline
- Implementing security controls on accessing machines inside a network
- Enabling reat-time antivirus detections and regular updates on antivirus
- Updating regular OS and software patches
- Analysing for unrecognised new accounts and reviewing them
- Routine audit on all accounts
- Disabling unused RDP ports and monitor for unusual activity
The FBI has also released several investigation reports for the BlackByte Ransomware which also includes hashes of files.