BlackByte Ransomware Detection: New Wake-Up Call

WRITTEN BY
Alla Yurchenko
[post-views]
February 25, 2022 · 4 min read
BlackByte ransomware detection

The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) released a joint cybersecurity advisory in regards to the activities of the BlackByte Ransomware-as-a-Service (RaaS) gang. BlackByte ransomware has been used against the businesses located in the USA as the primary targets. The greatest costs fall heavily on the critical infrastructure sectors such as state facilities, financial services, food and agriculture.

BlackByte Ransomware Mitigation

According to the current data, the attackers allegedly gained access to victims’ environments by leveraging a Microsoft Exchange Server flaw. To identify behaviors associated with BlackByte Ransomware, such as attempts to modify registries for elevated privileges, utilize the following threat detection content:

Behavior of BlackByte Ransomware – Feb 2022 (via process creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Impact tactic with Data Encrypted for Impact (T1486) as the primary technique.

BlackByte Ransomware Modifies Registries to Elevate Privileges

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Modify Registry (T1112) as the main technique.

The rules are provided by our keen Threat Bounty developers Sittikorn Sangrattanapitak and Nattatorn Chuensangarun, keeping a close eye on emerging threats.

The full list of detections in the Threat Detection Marketplace repository of the SOC Prime platform is available here. Eager to craft your own Sigma rules? Join our Threat Bounty program and get rewarded for your valuable contribution.

View Detections Join Threat Bounty

BlackByte Ransomware Attacks

The threat first surfaced in July 2021, reappearing every other month with multiple attacks against the U.S., Europe, and Australia. Currently, BlackByte RaaS is known to have been leveraging a Microsoft Exchange Server flaw to obtain initial access to victims’ networks, according to the FBI and the USSS joint advisory.

Once the environment is breached, adversaries work towards gaining a persistent presence in the infected system and elevate privileges before exfiltrating and encrypting files. The BlackByte ransomware operators have only partly encrypted data in certain cases. Data recovery is feasible in circumstances when decryption is not possible.BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows\. The novelty of the latest version of this ransomware is that it doesn’t require communication with any external IP addresses to carry out successful encryption.

A note urging a victim to settle a ransom through the Tor network is an indispensable part of the attack. In the latest report, the FBI advises ransomware victims not to pay up since doing so does not ensure data recovery and instead encourages hackers to launch more attacks. Victims are advised to report breaches for ransomware operators to be tracked down.

At the risk of sounding like a broken record, it is needless to mention that threat prevention & detection is paramount. Sign up for free at SOC Prime’s Detection as Code platform to make threat detection easier, faster, and more efficient with industry’s best practices and shared expertise. The platform also enables SOC professionals to share detection content of their creation, participate in top-tier initiatives, and monetize the input.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts