The BlackByte ransomware group has been actively exploiting security vulnerabilities to facilitate its attacks, notably including a recently patched flaw in VMware ESXi hypervisors. Cisco Talos reports that threat actors are utilizing a combination of this vulnerability along with various compromised drivers to disrupt security measures. Specifically, the exploitation involves an authentication bypass vulnerability designated CVE-2024-37085, a method previously employed by other e-crime groups, indicating a strategic shift in BlackByte’s approach to attacks.
Since its emergence in late 2021, BlackByte has been recognized as a significant player in the ransomware-as-a-service (RaaS) market. The group has demonstrated a penchant for employing sophisticated tactics to disrupt target systems, including leveraging well-known vulnerabilities like ProxyShell in Microsoft Exchange Server for initial access. This operational adaptability is coupled with a specific avoidance strategy where they deliberately exclude systems with Russian or Eastern European language settings, illustrating a calculated approach to victim selection.
Recent investigations reveal that BlackByte’s attacks often incorporate double extortion tactics, utilizing public leak sites on the dark web to exert pressure on victims. The group has introduced several variants of its ransomware, including those coded in C, .NET, and Go. This ongoing evolution of their malware is indicative of their commitment to improving resilience against detection and enhancing the overall effectiveness of their frameworks.
Trustwave’s release of a decryptor for BlackByte in late 2021 has not deterred the group from refining its methods. For instance, they have developed a custom tool known as ExByte, specifically designed for data exfiltration before encryption processes commence. Observations of their operations suggest a focus on sectors critical to infrastructure, including finance, agriculture, and government facilities, as declared in a U.S. government advisory in early 2022.
Key to the mechanics of BlackByte’s exploitation strategy is the use of vulnerable drivers, a tactic termed “bring your own vulnerable driver” (BYOVD). This technique allows the group to terminate security processes, effectively bypassing existing protections. Cisco Talos noted that the recent intrusion into a victim organization likely began with compromised VPN credentials, potentially acquired through brute-force methods, marking a subtle shift in their operational methodology.
Once inside the network, the attackers were able to escalate privileges by exploiting vulnerabilities, gaining administrator access to the VMware vCenter server. This exploitation method enables them to create new accounts with elevated rights within an Active Directory group, thereby facilitating control over virtual machines and sensitive configurations while accessing diagnostic tools and logs.
The rapidity of their tactics—exploiting security flaws just days after public disclosure—underscores how quickly cybercriminals can adapt their strategies to incorporate new vulnerabilities. The latest attacks from BlackByte have resulted in the encryption of files with a distinctive extension, “blackbytent_h,” as part of their encryption scheme. Additionally, part of the attack involved deploying four compromised drivers with naming conventions indicating incremental values and random alphanumeric sequences.
The sectors most vulnerable to BlackByte’s methods include professional, scientific, and technical services, alongside manufacturing and educational services, demonstrating an extensive reach in terms of potential targets. Cisco Talos also posits that the publicly disclosed cases of BlackByte’s attacks represent only a fraction of actual incidents, suggesting a higher level of activity than is visibly apparent.
The malware employed by BlackByte has notably evolved, transitioning from C# to Go and recently to complex languages such as C/C++. This progression reflects a deliberate strategy to enhance resistance to detection and analysis techniques, as advanced programming allows for the integration of intricate anti-analysis measures. As ransomware threats continue to evolve, understanding the tactics and techniques listed in the MITRE ATT&CK framework will be crucial for organizations looking to bolster their defenses against such sophisticated cyber threats.
Overall, the activities of the BlackByte ransomware group highlight an increasingly complex cybersecurity landscape where business owners must remain vigilant and proactive in safeguarding their networks against evolving threats.
