The FBI and US Secret Service released an advisory regarding BlackByte ransomware, which compromised multiple US and foreign businesses, including three entities that are part of US critical infrastructure. These three unnamed entities belonged to the government, financial, and food and agriculture verticals. The threat actors behind BlackByte also claimed they hacked networks belonging to the San Francisco 49ers in mid-February 2022.
What is BlackByte Ransomware?
BlackByte was observed in the wild as early as July 2021 and appears to be operated as a ransomware as a service (RaaS) model. The FBI and Secret Service advisory states BlackByte targets Windows systems and encrypts files on both physical and virtual servers. In some cases, the initial infection vector was an unspecified Microsoft Exchange Server vulnerability. A late 2021 blog post by Red Canary noted BlackByte using ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 to gain initial access.
Trustwave profiled BlackByte ransomware in late 2021, after discovering the malware during incident response. They noted several defining characteristics of BlackByte ransomware:
- The JScript launcher for BlackByte uses what appears to be garbage code to obfuscate the real code.
- BlackByte is a ransomware family that, like REvil and several others, avoids infecting machines using Russian or ex-USSR language packs.
- BlackByte’s worm functionality is similar to that of Ryuk ransomware.
- BlackByte creates a wake-on-LAN magic packet to send to the victim machine to make sure it is alive during the infection process.
- The threat actors responsible for BlackByte hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension.
- The threat actors included a feature triggering a crash if the program fails to download the encryption key.
- BlackByte uses an RSA public key embedded in the body only once to encrypt the raw key to display in the ransom note.
- BlackByte only uses one symmetric AES key for file encryption.
- Despite BlackByte having no exfiltration functionality, it links the victim to an auction site to scare the victim into paying ransom to avoid data leaks.
According to the government advisory, a newer version of BlackByte encrypts without communicating with any external IP addresses, and process injection has been observed on processes it creates.
Trustwave has provided a decryption key for BlackByte.
PolySwarm has multiple samples associated with BlackByte ransomware.
Contact us email@example.com| Check out our blog| Subscribe to our reports