BlackByte ransomware targeting critical infrastructures in the U.S. and across the globe since mid-summer 2021 has recently morphed into a more advanced variant. Adversaries are known to exfiltrate data before deploying ransomware and then threaten organizations to leak the stolen data if a ransom is not paid.

The ransomware samples were originally written in C# and later on were redeveloped in the Go programming language enabling attackers to evolve the adversary toolkit and apply more advanced and secure file encryption algorithms that block file recovery. The ransomware code used in the latest BlackByte ransomware attacks is constantly optimized to bypass security solutions and evade malware analysis, including string obfuscation tools.

Detect BlackByte Ransomware 

To proactively defend organizations against new BlackByte ransomware samples, SOC Prime has released a set of unique, context-enriched Sigma rules written by our prolific Threat Bounty developers, Nattatorn Chuensangarun and Kaan Yeniyol:

Possible BlackByte Ransomware Execution by Creating Scheduled Task for Print Bombing (via process_creation)

Possible BlackByte Ransomware Disable Controlled Folder Access with PowerShell Script Block

Suspicious BlackByte Ransomware Defense Evasion by System Time Format Modification (via cmdline)

With threat actors continuously improving BlackByte ransomware, it still poses a serious threat to organizations operating in multiple industries worldwide. Threat hunters, detection engineers, and other InfoSec practitioners striving to improve the organization’s cybersecurity posture can join SOC Prime’s platform and reach a comprehensive detection stack for BlackByte ransomware. Click the View Detections button to get access to the dedicated rule kit. Progressive threat detection content engineers and cybersecurity researchers who are looking for ways to turn their individual cybersecurity skillset into industry collaboration are invited to join the ranks of the SOC Prime Threat Bounty Program, which allows monetizing content contribution. 

View Detections Join Threat Bounty

BlackByte Ransomware Analysis: Go-Based Variants

BlackByte ransomware runs on a Ransomware-as-a-Service (RaaS) model targeting global organizations since July 2021. First involved in small-scale attacks, the ransomware operators found themselves in the public eye in November 2021, having compromised a number of US and worldwide businesses, including critical infrastructures in the government, financial, food and agriculture sectors. 

The most recent BlackByte ransomware attack has targeted the Swiss-based M+R Spedag Group logistics company and resulted in stealing over 8GB of the company’s data under the threat to publish the leaked assets on the dark web. 

In a series of earlier attacks, the hacking group was observed to leverage file encryption on victims’ Windows host systems and weaponize a Microsoft Exchange Server flaw to gain access to compromised networks. In response to a dynamically increasing scale of attacks leveraging BlackByte ransomware, The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint cybersecurity advisory offering indicators of compromise associated with the malicious activity and recommended BlackByte ransomware mitigation measures. 

Zscaler ThreatLabz has recently identified two new BlackByte versions programmed in the Go language. The first ransomware variant appears to have multiple common features with the original C# samples leveraging the same commands to move laterally and escalate privileges along with similar file encryption algorithms, while the second Go-based ransomware version spotted in more recent cyber-attacks introduces a set of significant updates and more sophisticated file encryption, including Curve25519 Elliptic Curve Cryptography (ECC) and ChaCha20 for asymmetric and symmetric encryption accordingly. In addition, the more advanced Go-based BlackByte version comes with enhanced ransom note and icon file storage capabilities enriched with XOR encryption.

The cyber-attack starts with accessing a link in the ransom portal and further authentication using an access key from the ransom note dropped on the targeted machine. Once authenticated, compromised users are demanded to pay a ransom under the risk of their data leakage. 

Also, threat actors apply print bombing by sending a ransom message that is scheduled to be printed every hour on connected devices.

To stay abreast of emerging threats and reinforce your organization’s cyber defense potential, join SOC Prime’s Detection as Code platform and drive immediate value from the near real-time detection content delivery accompanied by automated threat hunting and content management capabilities.