Blackbyte is a newly identified ransomware-as-a-Service operation configured to use ‘double-extortion’ techniques based on an available ‘leaks’ website. Early intrusions of Blackbyte re-used encryption keys, meaning that files encrypted prior to October 2021 may be recoverable [Source 1]. Initial access in Blackbyte intrusions is typical achieved through the exploitation of vulnerabilities in public-facing devices [Source 5]. Cobalt Strike beacon usage has also been observed in prior Blackbyte intrusions.

Severity: High
Updates: 2/13/2022

  • The FBI and The United States Secret Service published a joint advisory containing Indicators of Compromise (IoCs) related to Blackbyte Ransomware [Source 2]. Indicators of Compromise from this report have been added to the ReliaQuest Emergency Feed.

Detections:

  • IoCs have been identified for this threat and added to the ReliaQuest Emergency Feed. The MITRE techniques that apply to this threat are identified below. IoCs for the related threat of ‘Cobalt Strike’ are also regularly added to the ReliaQuest Emergency Feed.

Mitigations:

  • As of December 8th, 2021, Blackbyte uses the anonymous file upload sites of ‘anonymfiles[.]com’ and ‘file[.]io’ [Source 6]. It is recommended to block these sites on your firewall/proxy technologies in order to reduce the likelihood of data exfiltration.

The following are recommendations to mitigate the risk of ransomware, regardless of the variant:

  • Regularly monitor and audit external facing services and assets for accidental exposure and out-of-date services. Remove any accidental exposure and patch any out-of-date services, with priority on services that have known vulnerabilities. Threat Actors will frequently scan the internet for public-facing assets that have an exploitable vulnerability and gain initial access via this method.
  • Implement phishing training and deploy e-mail security technologies to mitigate the risk of malicious e-mail documents. Threat actor groups often conduct phishing campaigns with malicious documents in order to gain an initial foothold.
  • Ensure comprehensive coverage of Anti-Virus/Endpoint Detection and Response tools within your environment in order to provide as much visibility as possible into exploit/threat activity. Additionally, many ReliaQuest Detect use-cases require endpoint logging/visibility in order to be pushed to production.
  • Maintain regular backups of all critical systems/information. Maintain offline backups as well to increase resilience.
  • Enforce complex passwords and Multi-Factor Authentication across all aspects of the environment (including third-party accounts).

Sources:
[1] https://github.com/SpiderLabs/BlackByteDecryptor
[2] https://www.ic3.gov/Media/News/2022/220211.pdf
[3] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
[4] https://www.linkedin.com/pulse/english-blackbyte-ransomware-misterious-dropper-encoder-fasolo/
[5] https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/
[6] https://redcanary.com/blog/blackbyte-ransomware/

MITRE Techniques:

Technique ID:
Technique Name:
T1003
OS Credential Dumping
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1055
Process Injection
T1059.001
PowerShell
T1112
Modify Registry
T1190
Exploit Public-Facing Application
T1486
Data Encrypted for Impact
T1490
Inhibit System Recovery
T1560.001
Archive via Utility
T1562.001
Disable or Modify Tools
T1562.004
Disable or Modify System Firewall
T1567.002
Exfiltration to Cloud Storage

 

If you have any questions or would like to learn more about how to address this malware, please reach out to your ReliaQuest representative.