OVERVIEW
The BlackByte Ransomware variant was first publicly recognized in July of 2021, spawned by a threat group by the same moniker. The variant is distributed as a Ransomware as a Service, that has targeted government, manufacturing, healthcare, food, finance, and construction organizations worldwide - countries observed to be targeted include the United States, Europe and Australia. TTPs seen used by the variant include ProxyShell exploitation, utilization of Cobalt Strike, as well as common Ransomware techniques such as deletion of shadow copies, exfiltration for extortion and "print bombing".
TARGETING
Since BlackByte Ransomware is considered a Ransomware as a Service, targeting will depend on the actor utilizing the variant - however, it has been seen utilized against government, manufacturing, healthcare, food, finance, and construction organizations worldwide.
DELIVERY
Initial access is achieved via ProxyShell exploitations on Exchange Servers. Then the payload is delivered into environments via Cobalt Strike beacons, dropped initially on compromised these Exchange servers.
INSTALLATION
After the variant is dropped, the already existing Cobalt Strike beacon executes the payload in the environment - launching via command line with the "-single" parameter contained.
PERSISTENCE
Persistence is achieved via modification of registry values and inhibition of defense and recovery tools.
COMMUNICATION
Communication has been observed occurring via Cobalt Strike beacon, as well as the BlackByte process.
Threat Update - 11 Feb 2022
Threat Summary
The BlackByte Ransomware variant was first publicly recognized in July of 2021, spawned by a threat group by the same moniker. The group is considered a Ransomware as a Service group, that has targeted government, manufacturing, healthcare, food, finance, and construction organizations worldwide - countries observed to be targeted include the United States, Europe and Australia. In mid-2021, Cybersecurity firm Trustwave released a decryption tool that neutered the ransomware by allowing victims to recover the files for free. This led to the threat group withdrawing the variants utilizing the encryption tactics that were effected by the release.
Most recently, BlackByte publicly re-emerged in February of 2022, compromising servers belonging to the San Francisco 49ers of the National Football League - threatening to release hundreds of billing statements that the 49ers sent to their partners/affiliations. The variant has been observed to exploit Microsoft Exchange servers by abusing ProxyShell vulnerabilities that allow Remote Code Execution on the server. BlackByte Ransomware has been looked at as "not as sophisticated" as other variants, pointing to their encryption techniques and general TTP's (Tactics Techniques and Procedures) - however with the FBI and the Secret Service issuing a joint statement warning of them going on a "Hacking Spree" in the past three months, they are worth the time to understand and prepare for.
Threat Synopsis
In February 2022, the re-emergence of the BlackByte threat group and ransomware-as-a-service variant was observed compromising servers belonging to the San Francisco 49ers of the National Football League. The variant employs TTPs that are not groundbreaking, but effective nevertheless and have been very active as of late (per the joint statement from the FBI and Secret Service). At the outset, the variant exploits ProxyShell vulnerabilities on compromised Microsoft Exchange servers in order to gain initial access and Remote Code Execution capabilities. These vulnerabilities allowed the actors to drop web shells on servers that were utilized in Post-exploitation.
After initial access is achieved, actors dropped Cobalt Strike beacons on the compromised Exchange server and initiated Process Injection into the Windows Update Agent (wuauclt.exe). Cobalt Strike was also utilized for credential dumping and proliferation via AnyDesk installation and abuse of "Admin$" share folders. It was also abused to pull in and execute the BlackByte Ransomware, which immediately disables tools such as Windows Defender (via obfuscated PS command) and Task manager. Privilege escalation via registry modifications then occurs, and BlackByte prepares itself for lateral movement/further infection by abusing Living off the Land tools such as "netsh", "advfirewall", and "net view" in order to perform reconnaissance.
Subsequently, BlackByte deletes shadow copies and Raccine related scheduled tasks in preparation for encryption and to inhibit recovery mechanisms before moving forward. Similar to other Ransomware actors, they exfiltrate compressed local data for extortion purposes as well. Encryption then ensues, with a text note observed to be titled "BlackByte_restoremyfiles.hta" and utilization of print bombing to cause all connected printers to print the ransom notes at the top of every hour after successful execution.