Dollar banknotes on a laptop showing BlackByte ransomware gang's data leak site

BlackByte Ransomware Group Adds New “Feature” to Data Leak Site With Tiered Payment Options

The BlackByte ransomware gang’s “2.0” reboot of their data leak site sports a new “feature” for its victims: a tiered payment system that allows for smaller payments to delay publication of sensitive data, or to simply download and recover it prior to having it dumped for public viewing.

The group had disappeared briefly over the summer after being one of the biggest and most active ransomware gangs in the early part of 2022. Among other targets the group’s data leak site sported files from critical infrastructure companies in several countries, as well as the NFL’s San Francisco 49ers, and it is known for specific targeting of large organizations thought to have the ability to pay proportionally large ransom demands.

BlackByte ransomware return comes with “payment features” for victims

The BlackByte ransomware gang has been in operation since at least July 2021. While the group has always been prolific and shown a propensity to target big fish, it was not initially taken very seriously by security analysts due to seemingly amateurish encryption techniques. In October of 2021, security firm Trustwave discovered that the group was using the same key to encrypt the files of all its victims and released it to the public.

The group quickly stepped up its game, however, improving its technique and increasing its attack volume by 300% over the final quarter of 2021. BlackByte ransomware became enough of an international problem to merit an FBI and Secret Service joint advisory about it issued in February of this year. The group uses the increasingly standard “double extortion” approach of both encrypting victim files and threatening to dump them for public viewing on its data leak site, but Palo Alto Networks and other security firms report finding an underground Tor auction site where some of this stolen data is sold to private bidders.

The BlackByte ransomware group’s primary interest is in companies in Europe and the United States, and it is not afraid to go after healthcare and critical infrastructure firms. The group is believed to be based in Russia as its malware will not deploy on systems that have Eastern European language settings, a common feature of criminal groups that operate out of this part of the world. It is also known to go after specific vulnerabilities: unpatched Microsoft Exchange server flaws, and a known vulnerable version of the SonicWall VPN.

The “2.0” rebrand comes after BlackByte ransomware appeared to slow down for the summer. It takes a page from category leader LockBit’s recent pivot, which also included the addition of a new “feature” (bug bounties) as an apparent marketing tactic. There is not yet any indication that the ransomware has been changed or improved, but the data leak site is new and redesigned.

According to Harrison Van Riper, Senior Intelligence Analyst at Red Canary, the group’s approach and tactics should be expected to remain the same: “Red Canary first observed BlackByte in the wild in 2021, exploiting the ProxyShell vulnerabilities for initial access and subsequently dropping Cobalt Strike beacons. Despite BlackByte’s new website and payment options for allegedly stolen data, the operation’s extortion tactics remain the same, relying on a public website to identify purported victims and threatening to leak stolen information if the victims fail to pay a ransom in cryptocurrency … We haven’t seen an instance of this new version of BlackByte ransomware yet, though we’ll certainly be tracking the operation as we have in the past.”

Data leak site allows victims a choice of payment amounts

Security researchers noted that the new data leak site had not embedded the payment addresses correctly, making it impossible for victims to actually make payments. But at the moment the BlackByte ransomware group appears to have only one victim on the hook, judging by the list of entities it is currently threatening.

Presumably the gang will fix the payment site, and when they do victims will have the option of paying the full ransom demand to have their stolen data destroyed, or a lesser amount to mitigate the attack damage to a lesser extent. Victims can pay smaller amounts to simply put the data dump off for 24 hours, or to recover stolen data that they may not have backed up. The gang is likely to vary the amounts requested given their initial demand, but the current victim is looking at an asking price of $300,000 to have their data destroyed versus $200,000 to access it and $5,000 to extend the clock another day.

While some victims may opt to push the deadline out as they involve law enforcement or take stock of exactly what was lost, these choices do not seem to be so much about increasing profits as they are about drumming up free media coverage. Like most of the major ransomware operators, BlackByte ransomware uses an “RaaS” model in which the infrastructure can be rented out by partners. They are thus in competition with other players such as LockBit, and need to do a little advertising to stay front-of-mind with potential criminal associates. The group has been promoting the new “feature” of its data leak site across Twitter with a variety of handles.

Claire Tills, senior research engineer with Tenable, notes that this is a trend of “one-upmanship” with these ransomware operations that has been gradually playing out since RaaS began as a concept several years ago: “We often see threat actors borrowing tactics from one another. Most notably was the renaissance of double extortion kicked off by Maze in 2019. Those extortion tactics have continued to expand as threat groups try to find new ways to generate revenue from alternative sources and motivate victims to pay. While members often jump from group to group, it is just as likely that BlackByte operators saw the coverage of LockBit 3.0 and jumped on the wagon.”

John Bambenek, Principal Threat Hunter at Netenrich, adds that based on BlackByte’s prior track record of operation no one should expect them to actually keep their word after a payment is made via this data leak site: “I don’t believe for one minute that this group will delete data and not provide it to another criminal group if they are paid enough. It may entice those playing around the darker corners of corporate espionage, but they are floating a trial balloon and we’ll see what bites … BlackByte has made some mistakes, such as their error with accepting payments in the new site, which makes me infer they may be a little lower on the skill level than others. But, open source reporting says they are still compromising big targets, including those in critical infrastructure. The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue than we saw with Colonial Pipeline.”