As of November 2021, BlackByte ransomware had compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers. BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur. Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 22.214.171.124 and 126.96.36.199 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:windowssystem32 and C:Windows. Process injection has been observed on processes it creates.
Incidents Associated with this Threat
- September 10, 2023: Operational Impact at Electronics Company Alps Alpine Group
- June 14, 2023: Akira and Blackbyte both claim Cyberattack at Yamaha Music Equipment Manufacturer
- October 30, 2022: Blackbyte Group Claims Compromising Precious Metal Manufacturer in HongKong demanding $1.1M
- August 15, 2022: System Outage at Apex Capital Affects Medium and Small Size Trucking Companies’ Operations
- March 16, 2022: A Year After Devastating Ransomware Attack, Electric Utility Company NV GEBE is Still Recovering
- February 13, 2022: Ransomware Hits 49ers Football Team