FBI, USSS warn about BlackByte ransomware, provide associated indicators of compromise

FBI, USSS warn about BlackByte ransomware, provide associated indicators of compromise

The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) have issued a cybersecurity advisory providing technical details and indicators of compromise concerning BlackByte ransomware. As of November last year, the group is said to have compromised multiple U.S. and foreign businesses, covering entities across at least three U.S. critical infrastructure sectors, including government facilities, financial, and food and agriculture.

The BlackByte ransomware has been identified as a Ransomware-as-a-Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers. There has been a noticeable increase in 2021 in the use of RaaS, as hackers employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cybercriminals.

“The BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key,” according to the advisory. Some victims reported that the hackers used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, the hackers deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files, it added. 

“In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur,” the advisory said. “Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 185.93.6.31 and 45.9.148.114 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows\. Process injection has been observed on processes it creates,” it added.

Over the weekend, there were reports that the NFL’s San Francisco 49ers team is recovering from a cyberattack executed by the BlackByte ransomware gang, which claims to have stolen data from the American football organization. The attack was confirmed in a statement by 49ers to BleepingComputer and is said to have caused a temporary disruption to portions of their IT network.

Cybersecurity firm Trustwave identified in a post that the BlackByte ransomware is the same as other notorious ransomware variants like REvil, and avoids systems with Russian and ex-USSR languages. It has a worm functionality similar to RYUK ransomware, which creates a wake-on-LAN magic packet, and sends it to the target host – making sure they are alive when infecting them. 

“The author hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension,” Rodel Mendrez and Lloyd Macrohon, Trustwave researchers wrote in a blog post last October. “The author lets the program crash if it fails to download the encryption key. The RSA public key embedded in the body is only used once, to encrypt the raw key to display in the ransom note – that’s it. The ransomware uses only one symmetric key to encrypt the files,” they added.

Trustwave was also able to make a BlackByte decryptor available for download at GitHub in October. 

Last week, a transnational joint cybersecurity advisory (CSA) was issued outlining the growing international threat posed by ransomware trends observed in 2021. The alert also identified that most ransomware incidents against critical infrastructure affect business information and technology systems. The FBI also observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related