ALPS blog

Ransomware Spotlight: BlackByte

BlackByte is a ransomware group that has been building a name for itself since 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of a getting a payout. What techniques set it apart?

BlackByte debuted in July 2021. Its first year of activity garnered the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). According to a joint advisory by these two government agencies, BlackByte had already gone after at least three US critical infrastructure sectors (government facilities, financial, and food and agriculture) by November 2021.

This advisory shows just how BlackByte was actively establishing itself as a new noteworthy ransomware variant. On October 2021, Trustwave released a publicly available decrypter for BlackByte. This however did not stop BlackByte as developers released newer versions that used multiple keys and ramped up operations, going as far as to warn their victims against using the available decrypter on their website.

BlackByte’s emergence could be part of a larger scheme. With the purported shut down of Conti, researchers from AdvIntel surmise that BlackByte is one of the chief new ransomware variants part of its rebranding.

At present, BlackByte continues to target organizations from all over the world. However, like LockBit, RansomEXX, and many other ransomware families, BlackByte avoids attacking Russia-based entities.

What do organizations need to know about BlackByte?

While BlackByte operators use their piece of ransomware in attacks for their own gain, they also run on a ransomware-as-a-service (RaaS) model for their affiliates. We have listed down the key highlights of BlackByte here:

  • Initial versions used symmetric keys. The earlier variant of BlackByte used the same key in each campaign to encrypt files. It also used AES, a symmetric key algorithm. This allowed researchers to create a decrypter to help BlackByte victims, thus forcing the group to change their encryption method in newer variants.
  • It has multiple variants. The first known version of BlackByte was written in C#. Operators then released two Go-based variants. The more recent Go-variant was introduced around February 2022 and sported modifications particularly in its encryption algorithm.
  • Archives files using WinRAR. In BlackByte campaigns data exfiltration is done before the ransomware is deployed. This is because the BlackByte ransomware is incapable of exfiltrating data, instead it archives files using WinRAR then uploads the file to sharing sites.
  • Uses trojanized legitimate tools. Like most modern ransomware variants, BlackByte uses living-off-the-land binaries. For example, it uses the remote tool AnyDesk to gain further control over a system and for lateral movement.
  • Involves phishing emails or a known ProxyShell vulnerability for initial access. BlackByte has been known to use phishing emails or exploit unpatched ProxyShell vulnerability in Microsoft Exchange Servers to gain initial access into a system.

BlackByte trajectory seems to point to continuing activity. In fact, reports indicate that BlackByte is among the ransomware operations that have set their sights on Latin American governments in May 2022. This report is reflected in our own telemetry data as seen in the next section.


Featured News