Ransomware threats have been on the rise with an update in several technologies. Many threat actor groups have been providing RaaS based ransomware services to cybercriminals. The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) posted that as of November 2021, the BlackByte Ransomware has compromised several entities in the U.S Critical infrastructure sectors including government facilities, financial, food and agriculture. BlackByte is a RaaS (Ransomware as a Service) based ransomware group that targets encrypting files on compromised windows host systems and virtual servers.
BlackByte ransomware leaves a ransom note which contains a .onion site on all the encrypted directories. This .onion site provides the instructions for paying the ransom for the decryption key.
Certain victims reported a Microsoft Exchange Server vulnerability for gaining access inside the network. After infiltrating, they deploy several tools for moving inside the network and escalate privileges in order to encrypt files.
Unlike the old BlackByte versions, this new version doesn’t communicate with any IP address for encrypting the files. The local file directories C:\Windows\System32 and C:\Windows\ are used to create processes inside the victim machine.
The FBI has released certain list of suspicious files that are associated with BlackByte Ransomware.
Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium
Additional files were found on
|%AppData%\BB.ico||This file is the icon given to files with a .blackbyte file extension.|
|%AppData%\BlackByteRestore.txt||This file is the ransom note that is left in every folder where files are encrypted.|
|%HOMEPATH%\complex.exe||This file is the ransomware executable.|
|%AppData%\dummy||This file is a text file containing a list of machine names that can be reached on the network.|
|Users\tree.dll||This file contains the message “Your HACKED by BlackByte team. Connect us to restore your system.” (SIC)|
There were also scheduled tasks at Windows/System32/Tasks
|C:\Users\<username>\complex.exe -single <SHA256>.||This command appears to launch the ransomware.|
|C:\Windows\System32\cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll.||This command attempts to open tree.dll in wordpad 75 times and then prints the contents.|
The FBI has also released several investigation reports for the BlackByte Ransomware which also includes hashes of files.
A post-exploitation tampering technique has been discovered that allows the malware to visually trick the…
A critical privilege escalation vulnerability has been discovered to affect macOS devices, particularly the GOG…
Two Russian citizens have been charged for being involved in a campaign on behalf of the…
Malware sandboxes are indispensable for threat analysis, but many of their capabilities are often overlooked.…
In a calculated escalation of cyber warfare, the Lazarus Group, a notorious North Korea hacking…
There were reports of several Android loan apps that pretended to be providing loan services…