THREAT ACTOR: BlackByte

As of November 2021, BlackByte ransomware had compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers. BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur. Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 185.93.6.31 and 45.9.148.114 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:windowssystem32 and C:Windows. Process injection has been observed on processes it creates.

 

Incidents Associated with this Threat

  • February 13, 2022: Ransomware Hits 49ers Football Team

Malware Used by this Threat Actor

No malware identified for this threat actor.

Pin It on Pinterest

Scroll to Top