Dark Web Profile: BlackByte Ransomware

Ransomware has been one of the most glaring threats against organizations in recent years. Since 2021 SOCRadar has detected around 5,600 ransomware attacks. There was a rise from 2021 to 2022 in the number of attacks detected. This trend seems to continue in 2023 because even though it is not half of the year, there is already half the number of attacks detected compared to 2021. In 2021 total monetary damage of ransomware was around $20 billion, and it is predicted that in 2024 this amount will be $42 billion.

Ransomware Detected by SOCRadar — Ransomware detected by SOCRadar

The importance of ransomware is reflected in research conducted by Kaspersky in 2022. The research found that even though 64% have already been victims of at least one ransomware attack, only 42% of companies would report a ransomware attack to law enforcement and a cyber security incident response service. Of the 64% that have previously been attacked, 79% have paid the ransom. Of those, 88% said they would pay the ransom again if attacked.

Ransomware attacks are frequently directed at education, government, healthcare, and manufacturing. BlackByte ransomware is among the ones that prioritize these industries with less robust security measures.

Who is BlackByte?

BlackByte is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files. They are a Russian-based ransomware group operating in a ransomware-as-a-service (RaaS) model and leverage double-extortion to force their victims into payment. In their first year, they caught the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). These agencies released a joint advisory cautioning against BlackByte.

BlackByte Targets World Map — BlackByte targets world map (Source: SOCRadar)

Which Countries and Industries Do BlackByte Target?

In more than 100 detected attacks, around 30 countries are targeted by BlackByte operators. Among the countries, in correlation with the other Russian-based ransomware, the US is the top target with nearly half of the attacks.

Countries Targeted by BlackByte — Countries targeted by BlackByte (Source: SOCRadar)

Regarding the graphic below demonstrating the industries targeted by BlackByte, manufacturing, educational services, healthcare, and social assistance are among the top targeted industries. This is in correlation with the ransomware trend in general. Ransomware operators target critical and low-security budget industries to ensure the data is vital enough for a hefty payment.

How Does BlackByte Operate?

BlackByte came into the scene with relatively low activity. According to the information reported then, BlackByte was not as active as other ransomware operations, but the researchers’ eyes were on it. They did not pose the greatest threat because of their ransomware.

The same key is used in each campaign to encrypt files in the prior variant of BlackByte. It employed AES, a symmetric key algorithm that allowed researchers to create a decrypter to help BlackByte victims. As a result, the group changed their encryption method in the newer variants. They transitioned from C# to GoLang around February 2022. This follows the trend of ransomware groups leveraging relatively little knowledge about programming languages such as GoLang and Rust. This means that it is easier to conduct static analysis in common programming languages such as C#; however, in programming languages such as GoLang, static analysis is harder. Many security products have been designed for years based on the signatures of well-known and widely used languages, so signatures of a different language can make static analysis much more difficult.

Like most ransomware groups, they leverage phishing and known vulnerabilities, such as ProxyLogon, for initial access. Another important aspect of the BlackByte is that its ransomware cannot exfiltrate data. So, they exfiltrate data before the encryption leveraging WinRAR and file-sharing sites. They also leverage legitimate tools such as AnyDesk to gain a foothold on the victim machines.

BlackByte ransomware attack diagram (Source: TrendMicro)

Who Are the Major Activities Regarding BlackByte?

BlackByte Exposed

Researchers released a free decryptor for the first variant of the BlackByte that victims of the BlackByte ransomware can use to restore their files. The free tool is available on GitHub.

Researchers said this process was rather simplistic than the more complex and secure encryption routines used by other gangs. The ransomware fetches a .PNG file that contains multiple keys, which researchers used to create the decryptor.

After the release of the decryptor, some researchers observed this file, which dissolved Black Byte. According to detailed analyses, the ransomware downloaded a file called ‘forest.png‘ from a remote site under their control. Although this file is named to appear as an image file, it contains the AES encryption key used to encrypt a device.

In the warning message published on the BlackByte blog, monitored by SOCRadar analysts, threat actors stated they had encountered a decryptor for ransomware. Threat actors also claim that some systems will irreversibly fail if decrypted incorrectly.

The group also stated that they do not use a single symmetric encryption key as suggested in the research but organize attacks with multiple encryption keys.

When the BlackByte ransomware gang became aware of the researchers’ report and decryption tool, they cautioned that they had used multiple keys and that utilizing the decryptor with the wrong key might damage the victim’s files.

BlackByte software also disables Microsoft Defender software before encrypting files on targeted systems. Also, like RYUK ransomware, it has a wormable feature that can infect another from the infected system.

SOCRadar analysts found that the BlackByte group has reduced its time to pay the ransom from 30 days to 12 days.

Decrease of time in response to decryptor

Being Near Silicon Valley Does Not Matter

One of the most famous NFL teams, the San Francisco 49ers, was the victim of BlackByte ransomware back in February 2022. They mailed notification letters confirming a data breach affecting over 20,000 individuals following a ransomware attack that hit its network. In the stolen data, names and social security numbers were involved.

The team resides near Silicon Valley, yet the BlackByte ransomware group was successful in their attack. The group claimed responsibility before the pinnacle of the NFL, the Super Bowl, and published 292 MB of files containing invoices.

San Francisco 49ers leak post by BlackByte

Conclusion

If we look at the lifespan of BlackByte out of context, we can say that they are a new actor in the scene. However, in the context of ransomware, they have been active for quite a long time. They have been active for two years, and less than a handful of ransomware actors can stay as active as them without getting apprehended. We can see that in the recent examples of Hive ransomware leak site overtaken by FBI and Conti imploding.

Ransomware attacks are not always successful or damaging. However, when a ransomware attack takes place, it hits heavy and forces the hands of an organization into giving up the payment. As reported in the previously mentioned research, of the 64% that have been attacked, 88% said they would pay the ransom again if attacked.

BlackByte is one of the actors to keep an eye on and prepare against, even though they have shown some weaknesses in their earlier variants. They have since adapted themselves and carried some hard-hitting attacks resulting in large payments.

Security Recommendations

Just as most ransomware attacks, BlackByte also leverages phishing for initial access in their attacks. SOCRadar provides brand protection with its Digital Risk Protection module. With brand protection, you can proactively deny potential phishing campaigns that may arise from impersonating domains.

SOCRadar Brand Protection

One of the essential defenses against ransomware is to keep an offline backup of the systems in place. If the critical systems have backups, there is an opportunity to get back into action without paying or decrypting.
BlackByte forces its victims’ hands by stealing the data before encrypting, which is a technique called double extortion. In this situation keeping offline backups is not enough. This situation can be prevented beforehand. Organizations should provide cyber security awareness for their employees. Also, organizations should keep track of the vulnerabilities in their environment. BlackByte leverages ProxyShell vulnerability variants in its attacks. SOCRadar provides Attack Surface Management which helps gain visibility into external-facing digital assets. With it, security teams can track the vulnerabilities in the environment. Knowing which vulnerabilities are present in the organization can limit the possible attack surface ransomware operators may exploit.

MITRE ATT&CK Techniques

Techniques	ID
Reconnaissance
Phishing for Information	T1598
Initial Access
Exploit Public-Facing Application	T1190
Persistence
Scheduled Task/Job: Scheduled Task	T1053.005
Privilege Escalation
Access Token Manipulation	T1134
Defense Evasion
Deobfuscate/Decode Files or Information	T1140
File and Directory Permissions Modification	T1222
Impair Defenses: Disable or Modify Tools	T1562.001
Discovery
File and Directory Discovery	T1083
Permission Groups Discovery: Domain Groups	T1069.002
Lateral Movement
Lateral Tool Transfer	T1570
Collection
Archive Collected Data: Archive via Utility	T1560.001
Exfiltration
Exfiltration Over Web Service	T1567
Command and Control
Application Layer Protocol: Web Protocols	T1071.001
Impact
Data Encrypted for Impact	T1486
Service Stop	T1489