Since July 2021, numerous US, European, and Australian intrusions have been attributed to the BlackByte ransomware group. Attacks have been launched against manufacturing companies, financial services, key infrastructure providers, and most recently an American football club. BlackByte is believed to be headquartered in Russia because it’s meant to avoid organisations where the system default language is Russian or another language from the Commonwealth of Independent States. LMNTRIX CDC recently observed that BlackByte attackers used Microsoft Exchange Server ProxyShell & Proxylogon vulnerabilities to gain initial access as part of the infection process.
The malware is coded in Golang which has become popular among threat actors in the last 3 years.
Targets: BlackByte ransomware has infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam.
Impact of Blackbyte Ransomware
Numerous users in Russia have had their accounts hacked by the Blackbyte ransomware variant. Tens of thousands of email accounts have been compromised as a result of an attack on the largest web mail service in the nation using this malware as a service. According to the FBI’s Joint Cyber Security Advisory, “BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.” In order to develop a more effective protection strategy against BlackByte, it is helpful to be aware of the major steps it takes to infiltrate target networks.
Initial Access Phase
The BlackByte group’s playbook, much like Conti ransomware group, focuses on exploiting known vulnerabilities in public-facing server infrastructures such as Exchange. The fact that traffic to and from these services has been encrypted with the transport layer security makes detecting exploitation attempts difficult for most of the security controls deployed by a typical SMB organization.
Organizations should keep an eye out for and patch any vulnerabilities affecting publicly accessible infrastructure, such as Proxy Shell and Proxy Logon, which is used by BlackByte group. Security teams should be vigilant and, whenever possible, monitor encrypted communication, such as TLS 1.2 and 1.3 with full fidelity request forwarding, to make sure that attackers cannot conceal their attempts at exploitation.
Exploitation by BlackByte
Like many cyber criminals, the BlackByte gang depends on Cobalt Strike toolkit to supply the essential components for their attack, exploitation, or post-exploitation stages. After successfully breaching your perimeter defense, an attacker will concentrate and start intelligence gathering on the inside, next steps of lateral movement, and privilege escalation during the post exploitation phase will follow. Communicating later with the designated command and control server, another round of recon and/or evasion is inevitable, as these capabilities are offered by penetration testing tools like Cobalt Strike in a beautifully packaged manner even to a non-technical attacker. Ransomware groups like BlackByte are able to quickly move laterally, compromise many systems, and disable security features like EDR and remote logging by utilizing packaged tools and well-known attack vectors. Due to the lack of attention given to internal network security, in terms of detection and response, it has always been challenging to identify the lateral movement and off-the-grid approaches. Many companies are trying to encrypt all internal traffic, which exacerbates a difficult situation by widening the visibility gap and giving attackers more time.
A BlackByte ransomware affiliate recently started using “ExByte“, an info-stealer to steal data from Windows devices quickly. ExByte allows BlackByte ransomware to upload exfiltrated data to mega.co.nz for double extortion. BlackByte as well as other ransomware gain unauthorized access, steal data from victims and threaten to delete, OR leak data unless they get paid.
Cyber Defense Tactics To Slow Down BlackByte
Security Operation teams must adopt visibility and detection techniques like strategic decryption with the presumption that their network has already been infiltrated. Decryption of frequently exploited protocols, such as SMBv3, MS-RPC, NTLM, and Kerberos, is essential for limiting an attacker’s capacity to operate covertly and assisting in the discovery of harmful behavior. Speed of incident response is a real factor when it comes to responding while combating harmful attacks such as Blackbyte. It is crucial to decisively take action to limit the spread of malicious behavior, but it’s also equally crucial to make sure that the action is precise enough to reduce any unintended damage to an organization’s infrastructure.
Security tools can identify malicious behavior by detecting lateral movement, network enumeration, and efforts to some extent. However, as companies try to expand encryption to internal network traffic, many IT / Security Operation teams are losing sight of these strategies. Integrating security products like endpoint detection next-gen antivirus, network detection and response (NDR), with traditional and web application firewalls, cloud based SSO for identity and access management (IAM), machine learning, threat intelligence and a unified control such as eXtended Detection & Response (XDR) can ensure security operation teams respond swiftly to malicious activity with greater control.
BlackByte Ransomware Attack
In addition to encrypting local file systems and network file sharing, ransomware attacks also commonly steals data that is essential to business operations before encrypting it. For defenders, with little to no visibility, this offers a variety of potential detection challenges.
A late-stage sign of many ransomware attacks, including BlackByte, is the exfiltration of data to anonymous file-sharing websites. BlackByte is infamous for uploading substantial amounts of customer data to file-sharing websites which they later exploit to demand further payments from their victims. It would be noteworthy to mention, that a good XDR solution can spot every step of the attack from initial access to data exfiltration.
Encryption of network file shares, like data exfiltration, generates distinct traffic patterns that good security products can use to detect “active” ransomware activity. In the case of BlackByte, the ransomware creates ransom notes with instructions on how to contact the attackers, pay the ransom, and decrypt the user’s files.
Following are examples of anonymizer websites used by BlackByte,
We have outlined a few simple Indicators of Compromise, for BlackByte that anybody can use;
- BlackByte_restoremyfiles.hta – the ransomware note
- Encrypted files with the extension “*.blackbyte”
Mitigation Strategy for BlackByte
Conventional prevention strategies often lack the capability required to stop a ransomware infection. LMNTRIX recommends the company to use better access controls, segment the network and training users to identify phishing attempts on a regular basis. That being said, the complexity of implementing and managing a security program and, the limited gains associated with user training as a partially effective strategy can’t be ruled out.
LMNTRIX believes that businesses must understand that a layered approach to cyber security is still required to defend against advanced attackers, such as BlackByte. Instead of adopting a post-compromise security mindset, organisations should develop a process and leverage tooling to detect attackers at every stage of the kill chain (think XDR). This includes endpoint detection and response, NGAV, threat intelligence, machine learning, underground intelligence, and network detection and response (or network visibility tools), which are required to detect cyber intrusions and lateral movement, allowing Security and Operations teams to slow down an attack before a full-scale breach can occur. No single security product is capable of addressing the breadth of the modern threat landscape. As part of your security program, your company must constantly evaluate the IT organization’s security posture, and adapt as conditions evolve.
General mitigation steps, for Ransomware, according to LMNTRIX playbook are as follows:
- Implement regular backups of all data to be stored as password protected copies offline.
- Ensure these copies are not accessible for modification or deletion, from any system where the original data resides.
- Implement network segmentation such as VLAN, a control that ensures all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus and EDR software on all hosts, enable real time detection and take action when you see an alert. Triage the alert, validate and close the incident ticket with proper containment and remediation steps.
- Install security updates & patch your operating systems, software, and firmware as soon as updates/patches are released by the vendors.
- Audit all user accounts with administrative privileges and configure access controls with the principle of least privilege in mind. Do NOT give administrative privilege to all users.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Disable HTML email, and remove any/all hyperlinks in received emails.
- Use double authentication, or a MFA control, when logging into accounts or services.
- Ensure that routine security auditing is conducted for all accounts.
- Ensure all the identified IOCs are fed into the network firewall, web app firewall, EDR, IDS/IPS, SIEM for continuous monitoring, and stay vigilant when an alert pops up. Use your incident response process to validate alerts, prioritize alerts and remediate security threats.
BlackByte is considered as one of the “big game” ransomware groups, they target large and high-profile organizations by not only exfiltrating their data, but also threatening to publicly leak it on dark-web websites, if the unsuspecting mark doesn’t pay the demanded ransom amount.
We would like to conclude, with a sober note, a ransomware group has needs that must be met in order to be successful. In order to compromise your systems, network and data, the attacker needs to obtain unauthorized access to the “target” systems, storing critical / confidential data. The attackers must then establish command and control, identify weak points within your network, and move laterally.
LMNTRIX strongly believes, with a steady stream of BlackByte attacks identified globally in early 2022, the human operators behind the Ransomware as a Service are likely to continue to attack and extort organizations increasingly in the near future. A security control such as XDR, operated by a skilled human team, will have an opportunity to counter the ransomware operators at every step to detect, contain, respond & remediate emerging threats before they can cause significantly costly breaches.
Vulnerabilities exploited by the Blackbyte Group;
|CVE Number||CVSS Score||Vulnerability|
|CVE-2021-34473||9.8 (Critical)||Microsoft Exchange Server Remote Code Execution Vulnerability|
|CVE-2021-34523||9.8 (Critical)||Microsoft Exchange Server Elevation of Privilege Vulnerability|
|CVE-2021-31207||7.2 (High)||Microsoft Exchange Server Security Feature Bypass Vulnerability|
Anti Analysis Checks performed by BlackByte Ransomware;
BlackByte can detect standard analysis tools and intends to evade them, using the standard API checks, the malware calls the IsDebuggerPresent and CheckRemoteDebuggerPresent API. This development makes BlackByte and its affiliates more dangerous, especially since the Exbyte program checks to make sure it is not in an analysis environment before stopping, making it hard to detect/debug.
It also performs checks for the following traditional antivirus software,
The BlackByte sample we examined also calls NetSetInformationThreadW with undocumented value ThreadHideFromDebugger to hide the main thread from debuggers. Threat actors behind Blackbyte and similar ransomware groups want to make it more difficult for security researchers to analyze the malware sample, and hence the anti-analysis checks.
Indicators of Compromise for Detecting BlackByte Ransomware
Registry Keys Added
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
This lab article is a living blog post… We will update this blog post, as appropriate.