The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BlackByte Ransomware Targets Critical Infrastructure

Mar 1, 2022 2:42:23 PM / by PolySwarm Tech Team

BlackByte Ransomware Targets Critical Infrastructure_Twitter
Background

The FBI and US Secret Service released an advisory regarding BlackByte ransomware, which compromised multiple US and foreign businesses, including three entities that are part of US critical infrastructure. These three unnamed entities belonged to the government, financial, and food and agriculture verticals. The threat actors behind BlackByte also claimed they hacked networks belonging to the San Francisco 49ers in mid-February 2022.


What is BlackByte Ransomware?

BlackByte was observed in the wild as early as July 2021 and appears to be operated as a ransomware as a service (RaaS) model. The FBI and Secret Service advisory states BlackByte targets Windows systems and encrypts files on both physical and virtual servers. In some cases, the initial infection vector was an unspecified Microsoft Exchange Server vulnerability. A late 2021 blog post by Red Canary noted BlackByte using ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 to gain initial access.


Trustwave profiled BlackByte ransomware in late 2021, after discovering the malware during incident response. They noted several defining characteristics of BlackByte ransomware:

  • The JScript launcher for BlackByte uses what appears to be garbage code to obfuscate the real code.
  • BlackByte is a ransomware family that, like REvil and several others, avoids infecting machines using Russian or ex-USSR language packs. 
  • BlackByte’s worm functionality is similar to that of Ryuk ransomware. 
  • BlackByte creates a wake-on-LAN magic packet to send to the victim machine to make sure it is alive during the infection process.
  • The threat actors responsible for BlackByte hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension.
  • The threat actors included a feature triggering a crash if the program fails to download the encryption key.
  • BlackByte uses an RSA public key embedded in the body only once to encrypt the raw key to display in the ransom note.
  • BlackByte only uses one symmetric AES key for file encryption. 
  • Despite BlackByte having no exfiltration functionality, it links the victim to an auction site to scare the victim into paying ransom to avoid data leaks. 

According to the government advisory, a newer version of BlackByte encrypts without communicating with any external IP addresses, and process injection has been observed on processes it creates.

Trustwave has provided a decryption key for BlackByte.

IOCs

PolySwarm has multiple samples associated with BlackByte ransomware.


Hashes

1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

91f8592c7e8a3091273f0ccbfe34b2586c5998f7de63130050cb8ed36b4eec3e

C22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

884e96a75dc568075e845ccac2d4b4ccec68017e6ef258c7c03da8c88a597534

829751cfdc2376e916244f94baf839ce4491ccb75f0a89778c092bde79bd8643



Contact us athivemind@polyswarm.io| Check out our blog| Subscribe to our reports

Topics: Threat Bulletin, Critical Infrastructure, BlackByte, Ransomware

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts