BlackByte, the ransomware-as-a-service gang believed to be one of Conti’s splinter groups, has (once again) created a new iteration of its encryptor.
“Talos observed some differences in the recent BlackByte attacks. Most notably, encrypted files across all victims were rewritten with the file extension ‘blackbytent_h’, which has not yet appeared in public reporting,” researchers with Cisco’s threat intelligence team have shared.
“This newer version of the encryptor also drops four vulnerable drivers as part of BlackByte’s usual Bring Your Own Vulnerable Driver (BYOVD) technique, which is an increase from the two or three drivers described in previous reports.”
New TTPs
Based on findings related to attacks that Cisco’s incident responders recently helped investigate, it’s obvious that some of BlackByte’s affiliates have been using tactics, techniques and procedures that depart from the group’s established tradecraft.
Aside from leveraging the new encryptor, affiliates have been:
- Exploiting CVE-2024-37085 – an authentication bypass vulnerability in VMware ESXi – to encrypt multiple virtual machines simultaneously
- Using victims’ authorized remote access mechanism instead of deploying remote administration tool like AnyDesk
- Using valid credentials – most likely discovered through brute-forcing – to access the victim organizations’ VPN
“Given BlackByte’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access may represent a slight shift in technique or could represent opportunism. The use of the victim’s VPN for remote access also affords the adversary other advantages, including reduced visibility from the organization’s EDR,” the researchers noted.
For lateral movement, the attackers used Server Message Block (SMB) and Remote Desktop Protocols (RDP), and stole and misused NTLM hashes for authentication.
“Dynamic analysis of the ransomware binary later revealed consistent use of NTLM for authentication by that file, as well. We found that its execution routine includes creation of a service on the local system, and scanning for network shares on other networked systems using Active Directory credentials that were captured from the victim environment. We don’t have details of the exact system-to-system transmission method, but this very likely takes place over SMB to network shares that are discovered during the scanning process,” the researchers told Help Net Security.
“BlackByte has been known to leverage remote services such as SMB/Windows Admin shares throughout previous campaigns. The service on the local system then executes the copied binary on the remote system using the credentials built into the binary.”
As in previous attacks, the threat actors made modifications to the system registry to tamper with security tool configurations and manually uninstalled EDRs from key systems.
The victims
BlackByte victims – as published on their data leak site – are predominantly businesses in the manufacturing, construction and transportation/warehousing sector.
But the researchers think that the true number of BlackByte victims is much higher.
“Our estimate of a 20-30 percent victim post rate is based on the number of victims seen on BlackByte’s data leak site compared to the number of attacks we discovered in our telemetry during the same period by pivoting on indicators shared between those attacks,” they told Help Net Security.
Why some victims get “outed” on the data leak site and others not may depend on a combination of factors, “such as victims paying the ransom before they’re posted to the data leak site, the adversary focusing on attacks with encryption but no exfiltration of victim data, attacks conducted by a RaaS affiliate that isn’t authorized to use the data leak site, or simply a desire by BlackByte to keep a lower profile by being selective with victim posts.”
Based on the findings related to the newest BlackByte attacks, Cisco’s researchers have shared updated recommendations for defenders, as well as the latest indicators of compromise.