The BlackByte ransomware group has shown remarkable adaptability in its operations by merging long-standing tactics with newly identified vulnerabilities to perpetuate ongoing cyberattacks. This blend of traditional and innovative approaches exemplifies the group's persistent threat in the cybersecurity landscape.
"Talos also assesses that the BlackByte group is more active than its data leak site may imply, where only 20 to 30 percent of successful attacks result in an extortion post," said Cisco Talos Incident Response. This statement underscores the hidden scale of BlackByte's operations, suggesting that many of their attacks go unreported.
"Talos also assesses that the BlackByte group is more active than its data leak site may imply, where only 20 to 30 percent of successful attacks result in an extortion post,"
Recent investigations into BlackByte activities have revealed significant iterations in their ransomware deployment, particularly the use of the file extension "blackbytent_h" for encrypted files. The group has also altered its methods by introducing four vulnerable driver files instead of the previously noted three and leveraging victim Active Directory credentials for self-propagation. "Talos IR observed a new iteration of the BlackByte encryptor that appends the file extension 'blackbytent_h' to encrypted files," noted the Talos team.
"blackbytent_h"
Departing from its established methodologies, BlackByte has also begun targeting known vulnerabilities such as CVE-2024-37085, an authentication bypass glitch in VMware ESXi, shortly after its disclosure. "BlackByte using techniques that depart from their established tradecraft, such as exploiting CVE-2024-37085, shows the group's willingness to adapt and evolve," said Talos IR.
"BlackByte using techniques that depart from their established tradecraft, such as exploiting CVE-2024-37085, shows the group's willingness to adapt and evolve,"
Furthermore, instead of resorting to commercial remote administration tools like AnyDesk, BlackByte has been utilizing a victim's legitimate remote access mechanisms. This strategic shift not only complicates detection but also optimizes their operations by embedding themselves within the victim’s environment.
Described as a ransomware-as-a-service (RaaS) group and an offshoot of the notorious Conti ransomware faction, BlackByte emerged around 2021. Their operational tactics include employing vulnerable drivers to navigate around security safeguards and deploying self-spreading ransomware that behaves akin to a worm. This has been evidenced by their use of known-good system binaries and legitimate tools to augment their attack chains.
"The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its inception," remarked the Talos team. Their continuous refinement of ransomware binaries in various programming languages indicates a commitment to innovative, efficient attack strategies.
"The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its inception,"
Talos Incident Response's investigations uncovered notable parallels between indicators of compromise (IOCs) from recent BlackByte attacks and previous events documented in their global telemetry. "Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft," said the Talos team, highlighting the group's evolving nature and operational secrecy.
"Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft,"
In analyzing the mechanisms of initial access during a recent attack, Talos IR noted that the perpetrators gained entrance using valid VPN credentials. They indicated, "The initial account compromised by the adversary had a basic naming convention and, reportedly, a weak password," which may have made the organization vulnerable.
"The initial account compromised by the adversary had a basic naming convention and, reportedly, a weak password,"
While lingering questions remain regarding the acquisition of these credentials—whether through brute-force methods or prior knowledge—observations suggest brute-force attacks facilitated via internet scanning were likely. "BlackByte has a history of scanning for and exploiting public-facing vulnerabilities, such as the ProxyShell vulnerability in Microsoft Exchange server," added the Talos team, illustrating the group's historical tactics.
"BlackByte has a history of scanning for and exploiting public-facing vulnerabilities, such as the ProxyShell vulnerability in Microsoft Exchange server,"
The espionage tactics employed by BlackByte were further evidenced after the group escalated privileges and compromised Domain Admin-level accounts. Utilizing these accounts, they accessed the organization’s VMware vCenter server to create new Active Directory domain objects and added additional accounts to an Admin group.
In conclusion, BlackByte continues to demonstrate a willingness to adapt and evolve its strategies, indicating that organizations remain at serious risk. Their sophisticated techniques, successful exploitation of vulnerabilities, and reliance on social engineering tactics suggest that ongoing vigilance is essential for corporations to safeguard against such threats. As the cyber threat landscape continues to shift, the BlackByte ransomware group's activities provide critical insights into the state of modern ransomware tactics and the need for robust cybersecurity measures.
