BlackByte ransomware group resurfaced with its sights on critical infrastructure organizations, according to a new joint cybersecurity alert by the Federal Bureau of Investigation (FBI) and the U.S. Secret Services (USSS).
By November 2021, BlackByte ransomware operators had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government, facilities, financial, and food & agriculture), the agencies said.
The FBI and USSS describe BlackByte as a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.”
BlackByte ransomware group has evolved into a potent cybercrime group
The agencies noted that the BlackByte ransomware group leaves a ransom note on every directory it encrypts files. The ransom note includes a ‘onion’ site and instructions to receive the decryption key in exchange for a ransom payment.
However, the BlackByte ransomware gang encountered a setback when security researchers discovered it used the same encryption key and released a free decryption tool. Many industry experts believed that BlackByte attacks were executed by novices.
It is noted that the BlackByte operation has quickly evolved into a leading ransomware extortion gang with a reliable infrastructure. The ransomware group lends its cybercrime infrastructure to various affiliates for a commission after a successful ransom payment.
“The increasing professionalization of ransomware groups is an outcome of ransomware’s success as a tool,” Tim Erlin, VP of Strategy at Tripwire, said. “More organized, professional groups increase the threat, but they also change the landscape for law enforcement. Organized criminal groups are not new, and the larger the group, the more of a footprint they’re likely to have.”
The Media Trust’s Chris Olson lamented that the ransomware threat continued to grow despite the publicity given to ransomware incidents.
“Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth,” Olson said. “Ransomware-as-a-service (RaaS) is the new mafia. As we are seeing with small players like BlackByte, as the cybercriminal underclass grows so will the black market for ransomware, malware, exploits, and sensitive data harvesting.”
According to the joint alert, the BlackByte ransomware group exploits known vulnerabilities, with some victims reporting that BlackByte operators exploited Microsoft Exchange servers to gain access to their networks.
Additionally, the BlackByte ransomware gang deploys various tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files.
However, the alert noted that BlackByte ransomware leaves some partially encrypted files, and the victims could recover their data in such cases.
“Similar to other ransomware operators, BlackByte’s techniques aren’t necessarily sophisticated, but they are impactful, tried-and-true tactics,” Harrison Van Riper, Senior Intelligence Analyst at Red Canary, said. “In this instance, the bad actors gained access by exploiting a vulnerability in the company’s Microsoft Exchange server, installing a web shell, and then dropping the popular adversarial tool, Cobalt Strike.”
Riper added that the BlackByte encryption process was unusual as the attackers also attempted to delete a scheduled task for the ransomware vaccine “Raccine.”
Ransomware attack on San Francisco 49ers
The FBI and the secret service did not name the critical infrastructure and business organizations compromised by the BlackByte ransomware group. However, a few days before BlackByte ransomware group claimed to have encrypted a corporate network belonging to the San Francisco 49ers.
The ransomware group leaked a few files ahead of the Super Bowl to confirm its responsibility in the ransomware attack. The stolen data contained billing statements sent to the club’s partners.
Additionally, BlackByte listed the company on its data leak site for shaming its extortion victims. San Francisco 49ers confirmed the BlackByte ransomware attack but downplayed the impact.
“While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we do not indicate that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” a spokesperson told the Recorded Future’s The Record.
San Francisco 49ers representatives said they notified law enforcement agencies and contracted third-party cybersecurity experts to investigate the incident.
Felix Rosbach, product manager with comforte AG, said the San Francisco 49ers network security incident demonstrated that ransomware attacks can affect any organization.
“Every enterprise should operate under the assumption that its perimeters have already been breached and that unauthorized access to data or resources will lead to exposed sensitive information.”
He advised organizations to prepare for this possibility with quick recovery in mind.
“A better course of action other than relying on paying a ransom is to prepare for this eventuality with robust recovery capabilities (tools and processes) combined with proactive data-centric protection,” Rosbach said. “The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage.”
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, attributed the increasing ransomware threat to the victims’ lack of transparency.
“I fully understand the potential legal liability or reputational damage that may result in an honest accounting of the attack timeline including possible failures or negligence that contributed to the incident, but the outcome of not publishing this analysis means that many organizations are left uninformed on where their own exposures might be,” Clements said. “After all, many cybercriminal organizations use very similar techniques in attacking multiple victims. A detailed analysis of events would raise awareness for everyone.”
How to protect critical infrastructure organizations from BlackByte ransomware group attacks
The alert listed BlackByte’s indicators of compromise (IoCs) for network defenders to protect critical infrastructure and business organizations targeted by the BlackByte operation.
The agencies advised critical infrastructure operators to perform regular backups and store the data offline protected using passwords. The data should not be accessible from the network where the original data resides.
Additionally, critical infrastructure network defenders should implement network segmentation to restrict certain parts of their networks and devices from access.
Similarly, they should install software, operating system, and firmware security updates immediately after release.
Critical infrastructure network defenders should also review their workstations, servers, domain controllers, active directories, and user accounts for unknown users and suspicious privileges.
Additionally, they should disable unused and unnecessary remote access authorizations, Remote Desktop protocol ports and audit remote access logs for suspicious activity.
They should also add email banners for external emails, disable hyperlinks to prevent users from clicking on phishing links, and implement another layer of authentication like 2FA to protect corporate accounts and services.
“Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it,” Rosbach said. “Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data. And that’s what ransomware is all about—blackmail. Don’t let that happen to your organization. Accept the eventuality and prepare accordingly.”