Skip links

Hot glare of the spotlight doesn’t slow BlackByte ransomware gang

The US government’s alert three months ago warning businesses and government agencies about the threat of BlackByte has apparently done little to slow down the ransomware group’s activities.

Since March, the group, and other gangs using its malware, have continued to attack targets around the world, redesigning their website from which they leak data stolen from organizations, and snaring fresh victims, according to analysts at Talos, Cisco Systems’ threat intelligence group.

“The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam,” the threat hunters noted in a write-up Wednesday. “Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory.”

That joint release [PDF] by the FBI and US Secret Service in February noted BlackByte’s reach was international, and stated that since November 2021, the gang had compromised entities in at least three critical infrastructure sectors – government facilities, financial, and food and agriculture – in the United States.

The Talos researchers reckon BlackByte is one of what they call the “big game ransomware groups,” those that target large and high-profile organizations by not only exfiltrating their data but also threatening to publicly leak it on dark-web websites if the marks don’t pay the demanded ransom. The crew also runs a Tor-hidden .onion auction site where they sell stolen data, according to Unit42, Palo Alto Networks’ threat hunting unit.

BlackByte appeared on the scene last summer and quickly made a name for itself among other well-known groups, such as REvil and Conti, by targeting entities in the United States and Europe in industry sectors like healthcare, energy, financial services, and manufacturing. In February, the group attacked a network of the San Francisco 49ers, encrypting data and leaking some files they claimed were stolen from the American football team.

ransomware attaack

Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware


Similar to some crews slinging ransomware like Lockbit 2.0, BlackByte avoids targeting systems that use Russian and other Eastern European languages, according to Unit42,

The group uses its ransomware for its own direct gain, and also makes it available to affiliates via a ransomware-as-a-service (RaaS) model. It ran into a challenge in October when cybersecurity vendor Trustwave released software that allowed BlackByte victims to decrypt their data for free. At the time, Trustwave researchers noted that BlackByte’s ransomware was more rudimentary than that of other extortionists.

“Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES,” Team Trustwave wrote. “To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.”

The cybercrooks apparently rebounded, to the point where the FBI and Secret Service in their alert outlined BlackByte’s techniques and detailed a long list of indicators of compromise (IoC).

In an April blog post, Unit42 noted the gang’s aggressive nature, including a 300 percent quarter-over-quarter increase in the final three months of 2021 in the number of attacks associated with its ransomware.

Due to the high-profile nature and steady stream of BlackByte attacks identified globally in early 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations

“BlackByte ransomware operators have been active since at least July 2021,” the researchers wrote. “Due to the high-profile nature and steady stream of BlackByte attacks identified globally in early 2022, the operators and/or affiliates behind the service likely will continue to attack and extort organizations.”

The Unit42 report echoes what the Talos researchers are seeing. The gang and its affiliates use phishing emails or a known ProxyShell vulnerability in unpatched Microsoft Exchange Servers – or flaws in vulnerable versions of SonicWall’s VPN – to gain access into a system, according to Talos.

Once in, the bad actors install the AnyDesk remote management software to help them take control of Windows boxes, move laterally through the network, and escalate privileges.

“BlackByte seems to have a preference for this tool and often uses typical living-off-the-land binaries (LoLBins) besides other publicly available commercial and non-commercial software like “netscanold’ or ‘psexec’,” the Talos researchers wrote. “These tools are also often used by Administrators for legitimate tasks, so it can be difficult to detect them as a malicious threat.”

Executing the ransomware itself “is the last step once they are done with lateral movement and make themselves persistent in the network by adding additional admin accounts,” they wrote.

About 17 hours after the ransomware infection process starts, the compromised systems reboot and the ransomware note lackByteRestore.txt is displayed in Notepad.

BlackByte’s persistence comes as the ransomware space continues to evolve. Kaspersky earlier this month noted a few trends in the field, including threat groups looking to become even more adaptable by developing cross-platform ransomware that can run on multiple architectures and operating systems. In addition, the ransomware ecosystem is becoming more industrialized, with ransomware tool kits being continuously improved to make data exfiltration easier and faster, and make rebranding tools simpler.

Gangs also are more likely to take sides in geopolitical conflicts, such as the ongoing invasion of Ukraine by Russia. ®