Detecting BlackByte Ransomware Attacks

December 03, 2021 · 4 min read

Another day  another major challenge for security practitioners. Meet BlackByte, a new ransomware-as-a-service (RaaS) ring that is hard forging the way to the top of the threat list. First incidents attributed to the BlackByte collective were detected in July 2021, and since then adversaries evolved their tactics and tools significantly. Currently, security researchers observe BlackByte leveraging notorious ProxyShell vulnerabilities to breach corporate networks and encrypt the critical assets. 

What is BlackByte Ransomware?

Initially, BlackByte popped up in mid-summer 2021, performing low-intensity attacks against occasional users. The increased interest in this new variant peaked in October 2021 after the ransomware operators compromised the Iowa grain cooperative. Since then security researchers tracked multiple attacks against manufacturing, mining, food & beverage, healthcare, and construction industries within the US, Europe, and Australia.

The BlackByte ransomware group is believed to be of Russian origin since adversaries avoid targeting companies based in Russia or СIS countries. Furthermore, one of the file encryption functions for BlackByte is called “Pognali,” which is translated as “let’s go” from the Russian language.

According to the research from Trustwave, the initial BlackByte samples were not really complex. The ransomware used the same key to encrypt files in AES instead of leveraging the unique ones for each encryption session. Furthermore, as AES symmetric encryption was used by the hackers, the same key fitted for both encryption and decryption processes. In case there was no option to download the key from the attackers’ server, the ransomware routine simply crashed. 

In a view of such a simplistic approach, security researchers from Trustware released a decryptor for BlackByte ransomware in October 2021. However, the malware operators have updated their tactics since then, leaving no option for victims to decrypt their files for free. Moreover, according to the latest observations, BlackMatter ransomware attacks are becoming more sophisticated, with noticeable efforts implemented to evade detection, analysis, and decryption.

ProxyShell Vulnerabilities Leveraged to Deploy BlackByte

This week Red Canary experts have shared a detailed report revealing that BlackByte operators are actively using ProxyShell exploits to breach targeted networks. 

ProxyShell is a single title for a trio of separate flaws (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that, if chained, allow hackers to reach the admin level of access and perform remote code execution on vulnerable Microsoft Exchange servers.

According to Red Canary, BlackByte maintainers use ProxyShell flaws to drop web shells onto exposed Exchange servers. In case successfully installed, threat actors gain persistence on the targeted instances and push Cobalt Strike beacons injected into the Windows Update Agent process. This way attackers are able to dump credentials and obtain access to the accounts. Further, hackers drop the AnyDesk tool for remote access and proceed with lateral movement across the network. 

During the next stage, the BlackByte executable comes into action, performing its wormable capabilities to infect all available assets. Before launching the encryption process, the malware deletes the “Raccine Rules Updater” scheduled task and wipes shadow copies through WMI objects. Finally, BlackByte extracts sensitive data with WinRAR to further use it in double-extortion. 

BlackByte Ransomware Detection

To help security professionals detect BlakcByte infections and successfully withstand the attacks, the Threat Detection Marketplace repository of the SOC Prime platform offers a batch of curated detection content: 

BlackByte Ransomware install Remote Server Admin Tools package

BlackByte Ransomware using Raccine Scheduled Task Deletion

BlackByte Ransomware using Vssadmin to Resize Shadowstorage

ProxyShell Exploitation Leads to BlackByte Ransomware via Process_Creation

Remote Server Admin Tools Package Installation Attempt (via powershell)

BlackByte Ransomware query Active Directory for Computer Names

The full list of Sigma rules for BlackByte ransomware detection is available via this link.

Additionally, you can check the Industry Guidelines: Defending Against Ransomware Attacks in 2021 provided by Vlad Garaschenko, CISO at SOC Prime. These guidelines cover best practices for ransomware defense and offer the latest detections against ransomware attacks to help the leading MSPs and organizations in various sectors proactively withstand industry-specific intrusions. 

Also, to ensure that your systems are protected against possible BlackByte intrusions, check if you implemented the patches for ProxyShell vulnerabilities. To detect possible malicious activity associated with these flaws, download a set of the Sigma rules available via the following link

Explore the world’s first platform for collaborative cyber defense, threat hunting and discovery to boost threat detection capabilities and defend against attacks easier, faster and more efficiently. Eager to craft your own Sigma and YARA rules to make the world a safer place? Join our Threat Bounty Program to get recurrent rewards for your valuable input!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts