BlackByte is a ransomware-as-a-service brand believed to be an off-shoot of Conti. It was first seen in mid- to late-2021.

Talos has observed the BlackByte ransomware brand employing new techniques in addition to the standard TTPs previously noted. Further investigation and correlation of new instances with existing telemetry also leads Talos to believe that BlackByte has been considerably more active than previously assumed.

Researchers often rely on leak site inclusions for their activity statistics, but Talos now comments, “The group has been significantly more active than would appear from the number of victims published on its data leak site.” Talos believes, but cannot explain, that only 20% to 30% of BlackByte’s victims are posted.

A recent investigation and blog by Talos reveals continued use of BlackByte’s standard tool craft, but with some new amendments. In one recent case, initial entry was achieved by brute-forcing an account that had a conventional name and a weak password via the VPN interface. This could represent opportunism or a slight shift in technique since the route offers additional advantages, including reduced visibility from the victim’s EDR.

Once inside, the attacker compromised two domain admin-level accounts, accessed the VMware vCenter server, and then created AD domain objects for ESXi hypervisors, joining those hosts to the domain. Talos believes this user group was created to exploit the CVE-2024-37085 authentication bypass vulnerability that has been used by multiple groups. BlackByte had earlier exploited this vulnerability, like others, within days of its publication.

Other data was accessed within the victim using protocols such as SMB and RDP. NTLM was used for authentication. Security tool configurations were interfered with via the system registry, and EDR systems sometimes uninstalled. Increased volumes of NTLM authentication and SMB connection attempts were seen immediately prior to the first sign of file encryption process and are thought to be part of the ransomware’s self-propagating mechanism.

Talos cannot be certain of the attacker’s data exfiltration methods, but believes its custom exfiltration tool, ExByte, was used.

Much of the ransomware execution is similar to that explained in other reports, such as those by Microsoft, DuskRise and Acronis.

However, Talos now adds some new observations – such as the file extension ‘blackbytent_h’ for all encrypted files. Also, the encryptor now drops four vulnerable drivers as part of the brand’s standard Bring Your Own Vulnerable Driver (BYOVD) technique. Earlier versions dropped just two or three.

Talos notes a progression in programming languages used by BlackByte, from C# to Go and subsequently to C/C++ in the latest version, BlackByteNT. This allows advanced anti-analysis and anti-debugging techniques, a known practice of BlackByte.

Once established, BlackByte is difficult to contain and eradicate. Attempts are complicated by the brand’s use of the BYOVD technique that can limit the effectiveness of security controls. However, the researchers do offer some advice: “Since this current version of the encryptor appears to rely on built-in credentials stolen from the victim environment, an enterprise-wide user credential and Kerberos ticket reset should be highly effective for containment. Review of SMB traffic originating from the encryptor during execution will also reveal the specific accounts used to spread the infection across the network.”

BlackByte defensive recommendations, a MITRE ATT&CK mapping for the new TTPs, and a limited list of IoCs is provided in the report.

Related: Understanding the ‘Morphology’ of Ransomware: A Deeper Dive

Related: Using Threat Intelligence to Predict Potential Ransomware Attacks

Related: Resurgence of Ransomware: Mandiant Observes Sharp Rise in Criminal Extortion Tactics

Related: Black Basta Ransomware Hit Over 500 Organizations