Cybersecurity researchers have published a new advisory regarding the notorious BlackByte ransomware group. The advisory includes information and assessment regarding the newly discovered BlackByte samples from the group’s recent attacks.
Based on reports, the analysts responsible for examining the group’s behaviour discovered several variants of BlackByte ransomware circulating in the wild. The variants are coded in [.]NET and Go language, and a particular variant was also found written with a combined C and Go languages.
The ransomware payloads are loaded by its threat operators using UPX and feature worm-like abilities. In addition, the recently discovered samples have icons embedded in them portraying an image of a grim reaper. Other latest versions also upgraded its [.]exe icons with another grim reaper icon, but it is attached with a BB icon this time. The BB is the initial for BlackByte.
Another upgrade from the ransomware actors that the analyst observed is the development and changes to the registry to improve privileges for more straightforward infection processes and attacks.
BlackByte has also improved its establishment of persistence in every attack.
The BlackByte attackers exploit known MS Exchange Server flaws tracked by researchers as “ProxyShell vulnerabilities – CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207” for initial access.
Furthermore, the threat actors distribute malicious web shells for remote code execution (RCE) and persistence. The ransomware then omits critical systems, app folders, and critical components.
Researchers developed a decryptor for BlackByte that they released on GitHub. However, the threat actors have counteracted the move made by the researchers and set the latest version to make the decryptor useless.
The ransomware group were known to compromise the energy, public, financial, and agricultural sectors, especially in the United States. Although they focus more on attacking the US, the group have also targeted firms in Asia, Africa, Europe, South America, and Canada.
The advisory expects the BlackByte ransomware group to continue their attacks to conduct extortion methods against numerous organisations. Experts suggest that organisations should deploy robust anti-ransomware solutions, including reliable backups of essential data, the latest patches for systems and networks, and proper access control to protect sensitive data from staying protected from any ransomware groups’ attempts.
