10115747286?profile=RESIZE_400xBlackByte ransomware has been used in recent attacks on at least three critical infrastructure sectors in the US.  Available to bad actors as a Ransomware-as-a-Service (RaaS), BlackByte has been used in attacks against US and foreign businesses, including in critical infrastructure sectors such as government, financial, and food and agriculture, the FBI and US Secret Service warn.

The gang emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims worldwide.  BlackByte had some initial success, security researchers tracked attacks against manufacturing, healthcare and construction industries in the US, Europe and Australia.  The group’s simplistic encryption techniques led some to believe that the ransomware was the work of amateurs as the ransomware downloaded and executed the same key to encrypt files in AES, rather than unique keys for each session

BlackByte operators recently claimed to have obtained financial data from the US National Football League (NFL) San Francisco 49ers as a result of an attack that targeted the football team.  Some victims, the joint advisory says, discovered that the attackers exploited a known Microsoft Exchange Server vulnerability to gain initial access to their environments.

The ransomware operators deployed tools that allowed them to move laterally on the network and attempted to elevate privileges before stealing and encrypting data.  Following a BlackByte attack, the victim typically finds a ransom note in all directories where files were encrypted.  The note instructs the victim to access a website on the Tor network to pay a ransom in exchange for the decryption key.  There are clues that suggest BlackByte is based in Russia, since the ransomware, like REvil, is coded not to encrypt the data of systems that use Russian or Commonwealth of Independent States (CIS) language countries.   Even though, that should not be taken to mean the attack was carried out by individuals based in Russia or the CIS.  In some incidents, files were only partially encrypted. “In cases where decryption is not possible, some data recovery can occur,” the government advisory reads.

While previous versions of the ransomware downloaded a .png file before starting the encryption process, newer variants no longer communicate with external IP addresses.  The ransomware was observed spawning a process and injecting code into it, creating scheduled tasks and specific artifacts, dropping certain files, and executing specific commands.

The FBI-USSS joint advisory contains a long list of Indicators of Compromise (IoCs) associated with BlackByte, as well as recommendations on how organizations can mitigate the risk of ransomware.[1]

For the list of indicators, see:  https://www.ic3.gov/Media/News/2022/220211.pdf

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://www.securityweek.com/fbi-warns-blackbyte-ransomware-attacks-critical-infrastructure

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance