The BlackByte ransomware group has compromised organizations across at least three U.S. critical infrastructure sectors since November, the FBI warned in a recent cybersecurity advisory.
The ransomware-as-a-service (RaaS) group joins several other ransomware actors that have targeted critical infrastructure operators over the past year, including BlackMatter. At the same time, cyberattacks like the one on the Colonial Pipeline have made critical infrastructure security a top priority for the U.S. government.
“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture),” according to the advisory from the FBI and the U.S. Secret Service (USSS), which listed several known tactics used by the group, as well as Indicators of Compromise (IoCs). “BlackByte… encrypts files on compromised Windows host systems, including physical and virtual servers.”
The FBI said that some victims reported BlackByte actors using known Microsoft Exchange Server vulnerabilities as a means of initially gaining access to their networks. An analysis by Red Canary in November observed BlackByte operators exploiting the ProxyShell flaws on the target’s Microsoft Exchange server. After achieving initial access, the actors have been observed deploying tools needed to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Researchers with Red Canary said that they have seen the group dropping a Cobalt Strike beacon on compromised servers in order to enable more functionalities, as well as utilizing a remote desktop application called AnyDesk in order to access multiple systems.
From there, the FBI said an executable drops a ransom note in all directories where encryption occurs, which includes the .onion site with instructions for paying the ransom and receiving a decryption key.
“In some instances, BlackByte ransomware actors have only partially encrypted files,” according to the FBI. “In cases where decryption is not possible, some data recovery can occur.”
Before the process of encryption, previous versions of the ransomware would download a .png file from IP addresses (126.96.36.199 and 188.8.131.52), as previously analyzed by researchers with Trustwave. Now, the FBI said a newer version of the ransomware moves on to encrypting data without communicating with any external IP addresses. The ransomware group has also been observed using process injection, which is a malware defense evasion tactic that involves running custom code within the address space of another process in order to make malware more stealthy.
“Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful."
Harrison Van Riper, senior intelligence analyst at Red Canary, said that the tactics in the FBI’s advisory are consistent with what Red Canary has observed from BlackByte operators, which “use tried and true tactics.”
“Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful," said Van Riper. "The operation we observed relied on known techniques for initial access, such as the ProxyShell exploitation, and common network reconnaissance commands."
Brett Callow, threat analyst with Emsisoft, said that BlackByte emerged in the middle of last year and has been “slowly but steadily” amassing victims ever since. These victims have reportedly included organizations like the Iowa-based Farmers Cooperative Elevator Co., and, more recently, the San Francisco 49ers NFL team.
“Like multiple other ransomware families, it's coded not to encrypt systems that use Russian or CIS languages but - and I want to stress this - that does not mean the attack came from Russia or the CIS,” said Callow.
In its BlackByte advisory, the FBI said organizations can protect themselves by implementing regular data backups that should be stored as air-gapped, password-protected copies offline. Organizations should also “ensure these copies are not accessible for modification or deletion from any system where the original data resides,” said the FBI. Other mitigation measures include implementing network segmentation, installing antivirus software and regularly applying patches and software updates.
Van Riper noted that the most important takeaway for companies is “to have a plan in place.”
“In the middle of a ransomware attack is the worst time to realize you don’t have a playbook for how to handle the situation,” said Van Riper. “Companies should heed the warnings from the FBI and USSS, but remain calm and ensure they have appropriate defense-in-depth as well as an incident response playbook.”
The alert comes days after national security authorities in the United States, UK, and Australia released a warning that ransomware groups are continuing to shift their tactics to stay ahead of defenses. The alert revealed that 14 out of the 16 designated critical infrastructure sectors in the U.S. were targeted by attacks in 2021, but noted that in the second half of the year, ransomware groups shifted away from larger organizations in favor of smaller targets in the U.S. Still, Karl Sigler, senior security research manager at Trustwave said that the threat of ransomware will continue.
This new BlackByte campaign suggests that despite the arrests made in Russia regarding members of the REvil gang, other cybercriminals are not feeling much pressure to curb their activity," said Sigler. "Combine massive revenue and no fear of repercussions, and you have a threat that shows no sign of slowing down.