BlackByte ransomware gang exploits more orgs than previously known

According to security researchers, the BlackByte ransomware group has been more active in exploiting organizations than previously thought.

Security researchers from Cisco Talos have found evidence that the number of victims listed by BlackByte on its data leak site in recent months represents just 20% to 30% of the group’s successful compromises. Moreover, recently investigated attacks have revealed changes in BlackByte’s tactics, as well as a new variant of its file encryptor.

“During investigation of a recent BlackByte attack, Cisco Talos Incident Response (Talos IR) and Talos threat intelligence personnel noted close similarities between indicators of compromise (IOCs) discovered during the investigation and other events flagged in Talos’ global telemetry,” researchers from Cisco’s Talos group wrote in a new report. “Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft and revealed that the group has been significantly more active than would appear from the number of victims published on its data leak site.”

Ransomware gangs maintain websites where they list compromised organizations along with proof that they obtained sensitive data from their systems. By doing so, ransomware groups can more easily practice double extortion — file encryption and data exfiltration — to pressure victims into paying ransoms.

It’s not clear why BlackByte doesn’t publish all successful compromises on its data leak site. It could be to avoid attracting too much attention, or it could be that some victims agree to pay before listing them is needed. It’s also possible that not all successful compromises by BlackByte result in data exfiltration.

For example, in the attack Cisco Talos investigated, the researchers found evidence that BlackByte’s custom data exfiltration tool, ExByte, might have been deployed, but they couldn’t confirm with a high degree of certainty that data was actually exfiltrated.

Suspected Conti offshoot learning from past mistakes?

BlackByte is a ransomware-as-a-service (RaaS) operation that first appeared in late 2021 and is a suspected offshoot of Conti, a top ransomware group that disbanded in May 2022 after attracting too much attention and making a series of operational missteps.

After Russia invaded Ukraine in February 2022, many ransomware and cybercrime gangs declared themselves neutral, especially given that many had members in both Russia and Ukraine, as well as other CIS countries. But Conti publicly sided with Russia and threatened to target Western critical infrastructure in retaliation, which likely made some affiliates to want to distance themselves from the operation.

Not long after, a security researcher leaked tens of thousands of messages from Conti’s internal communications system, giving the world a deeper look into how the operation was run. This operational security failure likely alienated even more affiliates.

Finally in April 2022, the group launched a major attack that crippled 27 Costa Rican government organizations causing disruptions in the country’s customs and taxes platforms, impacting foreign trade and payroll payments. In response, the US State Department put up a $10 million reward for information about the identity or location of Conti’s leaders, as well as $5 million for information leading to the arrest of any Conti co-conspirator from any country. This likely sealed the group’s fate and made being associated with it highly undesirable for any cybercriminal.

With Conti affiliates abandoning ship and joining other RaaS operations, BlackByte, Black Basta, and KaraKurt quickly stood out as three new groups that adopted code, tools, and tactics very similar to those previously associated with Conti. If BlackByte is indeed run by former Conti members, it wouldn’t be surprising that they don’t want to attract too much attention to themselves.

BlackByte embraces new tactics and tools

While BlackByte has maintained the same tactics, techniques and procedures (TTPs) since its inception, the most recent attacks have revealed new tactics and the evolution of others. For example, the group is known for deploying a self-propagating wormable ransomware encryptor customized for each victim with hardcoded SMB and NTLM credentials stolen from inside the targeted network.

While this tactic is still in use, the file encryptor has been re-engineered over time in multiple programming languages: Go, .NET, and finally C++. The latest variant observed by Cisco Talos adds the “blackbytent_h” extension to encrypted files.

The group was also known for deploying several legitimate but vulnerable drivers on compromised systems to abuse them for privilege escalation and other tasks. For this technique, known as bring your own vulnerable driver (BYOVD), BlackByte has been known to use three specific drivers: RtCore64.sys, a driver originally used by the MSI Afterburner system overclocking utility; DBUtil_2_3.sys, a driver that is part of the Dell Client firmware update utility; and gdrv.sys, a driver that is part of the GIGABYTE Tools software for GIGABYTE motherboards.

In recent attacks the group added a fourth driver called zamguard64.sys, which is part of the Zemana Anti-Malware (ZAM) application. This driver has a vulnerability that can be used to terminate other processes and is used to disable EDR products on victim computers.

Another observed change is that the group relied on using the victim’s authorized remote access mechanism such as the Windows Remote Desktop Protocol (RDP) to connect to other systems instead of deploying commercial remote administration tools like AnyDesk.

The initial access into the victim organization was achieved through a compromised VPN account that likely fell victim to brute-force credential guessing attempts, but the group has been known to exploit vulnerabilities in publicly facing servers in the past, such as the ProxyShell flaw in Microsoft Exchange.

Finally, the group was seen exploiting the CVE-2024-37085 authentication bypass vulnerability in VMware ESXi within days of its public disclosure. This vulnerability gives members of an Active Directory group called “ESX Admins” control over virtual machines on ESXi hosts. The BlackByte attackers were seen creating this group after gaining access to domain admin accounts in victim environments.

“This highlights the speed with which ransomware groups like BlackByte can adapt their TTPs to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack,” the Talos researcher said.

Mitigation

Cisco Talos recommends that companies implement multifactor authentication for all remote and cloud connections and to audit their VPN configurations. Organizations should also set up alerts for changes in Active Directory privileged groups and to limit or disable the use of NTLM inside their networks. Microsoft is deprecating NTLM as an authentication protocol in favor of Kerberos.

SMBv1, another legacy protocol, should also be disabled and newer versions of SMB should have signing and encryption enforced. Any vendor accounts and remote access features that are not being used should also be disabled and detections for unauthorized Windows Defender policies and Group Policy Objects should be deployed on systems.