A cybersecurity firm named Trustwave has recently found a new but odd form of ransomware during its recent incident response engagement. Researchers have dubbed it BlackByte ransomware. It is odd because of some of the function and design decisions made by its creators. The striking mistakes were using one encryption key for every victim and obfuscating code that could get bypassed straightforwardly. Interestingly, the BlackByte ransomware does not target Russian computers. The given attribute is common among ransomware originating from Russia.
Do you want to address the information security leadership needs of your organization? LIFARS brings Chief Information Security Officer Solution. Our CISOs are highly proficient at establishing, improving, and transforming Cybersecurity Programs.
What Is BlackByte?
According to BleepingComputer, BlackByte is a ransomware operation. It started targeting corporate victims across the globe in early July 2021. BleepingComputer also claims that BlackByte ransomware is less active than other ransomware operations. Nevertheless, it has carried out several cyberattacks worldwide. So, it is something one should not ignore.
Exploiting Standard Obfuscation Techniques
A BlackByte ransomware attack initiates when an obfuscated launcher is introduced on a compromised system. The malware exploits standard obfuscation techniques. It might incorporate changing variable names, stuffing the file with unused garbage code, and scrambling the code.
Use of Double-Extortion
BlackByte has also exploited double extortion within the given space. Threat actors do not stop after locking up systems but extend a threat to their victims of leaking their confidential information.
Like other ransomware operators running their leak websites, such as REvil, Babuk, and Conti, BlackByte also has rolled out its website. Its site claims that it has exfiltrated from its victims.
However, the surprising thing is that BlackByte does not seem to have an exfiltration functionality, according to researchers. Thus, the assertion is likely to persuade victims into paying the ransom.
The malware’s self-propagation ability will inquire about a thousand hostnames from the Active Directory, deliver a wake-on-LAN packet, and infect the accessible devices. It also converts the program into a worm. While undeveloped, the worm functionality might prompt considerable spread inside an organization, as indicated by the expert.
Amateur Developers behind BlackByte Ransomware
By the design of BlackByte, it seems that the developers behind the ransomware are inexperienced. Even by all accounts, it does not seem BlackByte is a variant of a former ransomware family. Karl Sigler has also pointed out that developers who designed BlackByte ransomware are inexperienced. For the record, he is a senior security research manager at Trustwave. He also added that it looks like its developers have written ransomware from scratch, but it is clumsy.
But note here that the BlackByte ransomware has a few resemblances to other ransomware associated with Russia. For example, it includes forestalling Russian-language systems similarly to REvil and utilizing network exploitation to unfold inside networks, just like Ryuk.
The encryption process of BlackByte ransomware also shows that it is a work of unskilled threat actors. BlackByte uses the same key to encrypt files instead of using unique keys for each session. But sophisticated ransomware operators usually employ a unique key in each session. So, one only requires the symmetric encryption key to get downloaded from the public server to decrypt a file.
It seems that a new BlackByte ransomware gang has entered cyberspace. Given the number of mistakes it has made in developing its tool, though, this one is a beginner. Along similar lines, are you dealing with ransomware or cyber extortion? Well, we can help you with it since our Cyber Incident Response Team can offer an elite response for your organization.