The BlackByte ransomware gang, a notable offshoot of Conti’s splinter groups, has unveiled a new iteration of its encryptor along with advanced tactics, techniques, and procedures (TTPs). The latest version of their encryptor features a unique file extension, ‘blackbytent_h,’ which has not been observed in previous reports. This updated encryptor also utilizes an enhanced Bring Your Own Vulnerable Driver (BYOVD) technique, incorporating four vulnerable drivers compared to the two or three used in earlier versions, thereby increasing its effectiveness in compromising systems.
In recent attacks, BlackByte affiliates have demonstrated a notable shift in their tactics. They have begun exploiting CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi, allowing them to encrypt multiple virtual machines simultaneously. Additionally, the ransomware group has adapted its approach by leveraging victims’ authorized remote access mechanisms and valid VPN credentials, rather than relying on traditional remote administration tools like AnyDesk. This new method not only aids in bypassing detection but also minimizes visibility from the organization’s endpoint detection and response (EDR) systems.
For lateral movement within compromised networks, BlackByte has employed Server Message Block (SMB) and Remote Desktop Protocol (RDP), while also misusing NTLM hashes for authentication. The ransomware’s execution routine involves creating a service on the local system, scanning for network shares using Active Directory credentials captured from the victim’s environment, and likely transmitting the ransomware binary over SMB to other networked systems. This technique highlights the group’s adaptability and sophistication in conducting their operations.
BlackByte’s victims primarily include businesses in the manufacturing, construction, and transportation sectors. However, researchers estimate that the true number of affected organizations is significantly higher than the figures publicly available on BlackByte’s data leak site. The discrepancy may arise from factors such as victims paying ransoms before their details are posted or the group selectively publishing victim information. Updated recommendations and indicators of compromise have been shared by Cisco’s researchers to assist defenders in safeguarding against these evolving threats.
Reference:
