The menace actors behind the BlackByte ransomware group have been noticed possible exploiting a not too long ago patched safety flaw impacting VMware ESXi hypervisors, whereas additionally leveraging numerous weak drivers to disarm safety protections.
“The BlackByte ransomware group continues to leverage techniques, methods, and procedures (TTPs) which have shaped the muse of its tradecraft since its inception, repeatedly iterating its use of weak drivers to bypass safety protections and deploying a self-propagating, wormable ransomware encryptor,” Cisco Talos stated in a technical report shared with The Hacker Information.
The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi that has additionally been weaponized by different ransomware teams, is an indication that the e-crime group is pivoting from established approaches.
BlackByte made its debut within the second half of 2021 and is presupposed to be one of many autonomous ransomware offshoots to have emerged within the months main as much as shutdown of the notorious Conti ransomware crew.
The ransomware-as-a-service (RaaS) group has a historical past of exploiting ProxyShell vulnerabilities in Microsoft Alternate Server to acquire preliminary entry, whereas avoiding techniques that use Russian and various Japanese European languages.
Like RaaS teams, it additionally leverages double extortion as a part of assaults, adopting a name-and-shame method by way of an information leak web site operated on the darkish net to pressurize victims into paying up. A number of variants of the ransomware, written in C, .NET, and Go, have been noticed within the wild up to now.
Whereas a decryptor for BlackByte was launched by Trustwave in October 2021, the group has continued to refine its modus operandi, even going to the extent of using a customized device named ExByte for information exfiltration previous to commencing encryption.
An advisory launched by the U.S. authorities in early 2022 attributed the RaaS group to financially motivated assaults focusing on crucial infrastructure sectors, together with monetary, meals and agriculture, and authorities services.
One of many essential facets of their assaults is using weak drivers to terminate safety processes and bypass controls, a method often called convey your personal weak driver (BYOVD).
Cisco Talos, which investigated a latest BlackByte ransomware assault, stated the intrusion was possible facilitated utilizing legitimate credentials to entry the sufferer group’s VPN. It is believed that the preliminary entry was obtained by a brute-force assault.
“Given BlackByte’s historical past of exploiting public-facing vulnerabilities for preliminary entry, using VPN for distant entry might signify a slight shift in method or might signify opportunism,” safety researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans stated. “The usage of the sufferer’s VPN for distant entry additionally affords the adversary different benefits, together with diminished visibility from the group’s EDR.”
The menace actor subsequently managed to escalate their privileges, utilizing the permissions to entry the group’s VMware vCenter server to create and add new accounts to an Energetic Listing group named ESX Admins. This, Talos stated, was finished by exploiting CVE-2024-37085, which allows an attacker to achieve administrator privileges on the hypervisor by creating a bunch with that identify and including any person to it.
This privilege might then be abused to regulate digital machines (VMs), modify host server’s configuration, and acquire unauthorized entry to system logs, diagnostics, and efficiency monitoring instruments.
Talos identified that the exploitation of the flaw befell inside days of public disclosure, highlighting the velocity at which menace actors refine their techniques to include newly disclosed vulnerabilities into their arsenal and advance their assaults.
Moreover, the latest BlackByte assaults culminate with the encrypted recordsdata being rewritten with the file extension “blackbytent_h,” with the encryptor additionally dropping 4 weak drivers as a part of the BYOVD assault. All of the 4 drivers observe the same naming conference: Eight random alphanumeric characters adopted by an underscore and an incremental numerical worth –
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The skilled, scientific, and technical providers sectors have the best publicity to the noticed weak drivers, accounting for 15% of the full, adopted by manufacturing (13%) and academic providers (13%). Talos has additionally assessed that the menace actor is probably going extra energetic than what it seems to be, and that solely an estimated 20-30% of victims are publicly posted, though the precise motive for this disparity stays unclear.
“BlackByte’s development in programming languages from C# to Go and subsequently to C/C++ within the newest model of its encryptor – BlackByteNT – represents a deliberate effort to extend the malware’s resilience towards detection and evaluation,” the researchers stated.
“Complicated languages like C/C++ permit for the incorporation of superior anti-analysis and anti-debugging methods, which have been noticed throughout the BlackByte tooling throughout detailed evaluation by different safety researchers.”
The disclosure comes as Group-IB unpacked the techniques related to two different ransomware strains tracked as Mind Cipher and RansomHub, underscoring the potential connections of the previous with ransomware teams corresponding to EstateRansomware, SenSayQ, and RebornRansomware.
“There are similarities by way of model and content material of the Mind Cipher’s ransom be aware to these by SenSayQ ransomware,” the Singaporean cybersecurity firm stated. “The TOR web sites of Mind Cipher ransomware group and SenSayQ ransomware group use comparable applied sciences and scripts.”
RansomHub, then again, has been noticed recruiting former associates of Scattered Spider, a element that first got here to gentle final month. A majority of the assaults have focused healthcare, finance, and authorities sectors within the U.S., Brazil, Italy, Spain, and the U.Ok.
“For preliminary entry the associates often buy compromised legitimate area accounts from Preliminary Entry Brokers (IABs) and exterior distant providers,” Group-IB stated, including the “accounts have been acquired by way of LummaC2 stealer.”
“RansomHub’s techniques embody leveraging compromised area accounts and public VPNs for preliminary entry, adopted by information exfiltration and in depth encryption processes. Their latest introduction of a RaaS associates program and use of high-demand ransom funds illustrate their evolving and aggressive method.”
