Cyber Security

BlackByte Ransomware Breached US Critical Infrastructure

Ransomware threats have been on the rise with an update in several technologies. Many threat actor groups have been providing RaaS based ransomware services to cybercriminals. The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) posted that as of November 2021, the BlackByte Ransomware has compromised several entities in the U.S Critical infrastructure sectors including government facilities, financial, food and agriculture. BlackByte is a RaaS (Ransomware as a Service) based ransomware group that targets encrypting files on compromised windows host systems and virtual servers.

BlackByte Ransomware

BlackByte ransomware leaves a ransom note which contains a .onion site on all the encrypted directories. This .onion site provides the instructions for paying the ransom for the decryption key.

Certain victims reported a Microsoft Exchange Server vulnerability for gaining access inside the network. After infiltrating, they deploy several tools for moving inside the network and escalate privileges in order to encrypt files.

Unlike the old BlackByte versions, this new version doesn’t communicate with any IP address for encrypting the files. The local file directories C:\Windows\System32 and C:\Windows\ are used to create processes inside the victim machine.

IOC for BlackByte

The FBI has released certain list of suspicious files that are associated with BlackByte Ransomware.

Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946


Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium

Additional files were found on

%AppData%\BB.ico This file is the icon given to files with a .blackbyte file extension.
%AppData%\BlackByteRestore.txt This file is the ransom note that is left in every folder where files are encrypted.
%HOMEPATH%\complex.exe This file is the ransomware executable.
%AppData%\dummyThis file is a text file containing a list of machine names that can be reached on the network.
Users\tree.dllThis file contains the message “Your HACKED by BlackByte team. Connect us to restore your system.” (SIC)

There were also scheduled tasks at Windows/System32/Tasks

C:\Users\<username>\complex.exe -single <SHA256>.This command appears to launch the ransomware.
C:\Windows\System32\cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll.This command attempts to open tree.dll in wordpad 75 times and then prints the contents.

How to Mitigate?

  • Regular Backup of all data and having password protected copies offline
  • Implementing security controls on accessing machines inside a network
  • Enabling reat-time antivirus detections and regular updates on antivirus
  • Updating regular OS and software patches
  • Analysing for unrecognised new accounts and reviewing them
  • Routine audit on all accounts
  • Disabling unused RDP ports and monitor for unusual activity

The FBI has also released several investigation reports for the BlackByte Ransomware which also includes hashes of files.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

New iPhone Hack Convinces Users With Fake Lockdown Mode

A post-exploitation tampering technique has been discovered that allows the malware to visually trick the…

4 hours ago

Researchers Exploited GOG Galaxy XPC for Privilege Escalation in macOS

A critical privilege escalation vulnerability has been discovered to affect macOS devices, particularly the GOG…

4 hours ago

Two Russian Nationals Charged for Hacking Government Accounts

Two Russian citizens have been charged for being involved in a campaign on behalf of the…

22 hours ago

5 Best Ways a Malware Sandbox Can Help Your Company – Threat Analysis Guide 2024

Malware sandboxes are indispensable for threat analysis, but many of their capabilities are often overlooked.…

24 hours ago

Lazarus Group Attacking Crypto Users Via Telegram to Deploy Malware

In a calculated escalation of cyber warfare, the Lazarus Group, a notorious North Korea hacking…

1 day ago

Malicious Android Loan Apps Steal Users Personal & Financial Information

There were reports of several Android loan apps that pretended to be providing loan services…

1 day ago