mega-menu-burger mega-menu-close

TTPs used by BlackByte Ransomware Targeting Critical Infrastructure

Keep up to date with latest blog posts

On February 15th, 2022, the FBI and US Secret Service issued a joint adversary on BlackByte ransomware and its indicators of compromise (IOCs). According to the alert, BlackByte ransomware attacks on critical US infrastructures are on the rise. In this blog, we explained TTPs used by the BlackByte ransomware group in detail.

Test your security controls against ransomware

BlackByte Ransomware Group

The BlackByte group is a Ransomware-as-a-Service (RaaS) operator and started its ransomware operation in July 2021. Since then, they have targeted US-based organizations in critical infrastructure sectors such as government, finance, and food & agriculture. Also, they compromised the network of the famous American football team, San Francisco 49ers, and released some of the confidential data belonging to the team as proof of the attack. 

BlackByteFigure 1: Ransom note of BlackByte for SF49ers[1]

Joint cybersecurity advisory from FBI and US Secret Service warns organizations that beware of the IOCs of BlackByte ransomware attacks and take necessary precautions as the number of attacks is expected to increase.

What is BlackByte Ransomware?

BlackByte ransomware is the collective name of the ransomware variants from the BlackByte RaaS group. The ransomware was first reported back in July 2021. It exploits ProxyShell vulnerabilities found in Microsoft Exchange Server for initial access. The patch for these vulnerabilities is available. However, unpatched systems are falling victim to these ransomware attacks. Check out our blog post and learn how to prevent the exploitation of ProxyShell vulnerabilities.

The ransomware does not attack the infected systems if the language setting is Russian or the languages of former Soviet republics. This behavior is similar to some other ransomware threat groups, as explained in our previous ransomware blog, LockBit 2.0

BlackByte ransomware variants only use symmetric encryption. In their earlier ransomware variants, The BlackByte threat group distributed the encryption key to every victim from their command and control (C2) server in a .png file. Since the same encryption key is used for every victim, Trustwave was able to devise a global decryptor [2]. After the release of the global decryptor, the ransomware group stopped delivering the encryption key from the C2 server and changed the key. Although the decryptor might not work in some cases, it is worth a try as it does not harm already encrypted files. 

After encrypting the victim files, BlackByte ransomware appends the .blackbyte extension. The ransomware leaves the same ransom note in all encrypted directories, and the ransom note includes a .onion link that instructs the victim how to pay the ransom and receive the decryption key. Also, the ransom note claims that the ransomware has exfiltrated data from its victims to scare its victims to pay the ransom.

How Picus Helps Simulate BlackByte Ransomware?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the BlackByte ransomware. We advise you to simulate BlackByte ransomware attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate BlackByte ransomware.

Threat Name

BlackByte Ransomware .EXE File Download (1-variant)

BlackByte Ransomware Scenario

Test your security controls against ransomware now

MITRE ATT&CK Techniques Used by the BlackByte Ransomware

Reconnaissance

  • T1595.002 Active Scanning: Vulnerability Scanning

The Blackbyte ransomware group exploits several vulnerabilities in the Microsoft Exchange Server. The ransomware threat actors scan the network of their targets and check whether the network has CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 vulnerabilities.

Initial Access

  • T1190 Exploit Public Facing Application

BlackByte ransomware threat actors exploit ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) found in Microsoft Exchange Server to gain initial access to the target network. Using ProxyShell vulnerabilities, the BlackByte RaaS group drops a webshell with the .aspx extension.

CVE Number

CVSS Score

Vulnerability

CVE-2021-34473

9.8 (Critical)

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-34523

9.8 (Critical)

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-31207

7.2 (High)

Microsoft Exchange Server Security Feature Bypass Vulnerability

Directories where webshell might be located

Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946

inetpub\wwwroot\aspnet_client

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium

Execution

  • T1053.005 Scheduled Task/Job: Scheduled Task

BlackByte ransomware utilizes Scheduled Tasks to launch its executable and print ransom notes using the printers in the victim’s network. 

Scheduled Tasks used by BlackByte

Description

complex.exe -single <SHA256_hash>

The ransomware executable is named “complex.exe”. The purpose of the hash value is unknown; it might be the identifier of the victim.

cmd.exe /c for /l %x in (1,1,75) do start

wordpad.exe /p C:\Users\tree.dll.

This command attempts to open tree.dll in Wordpad 75 times and then prints the contents. tree.dll contains the ransom note.

  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1059.003 Command and Scripting Interpreter: Windows Command Shell

The BlackByte threat group uses PowerShell and Windows Command Shell to execute its malicious commands.

Persistence

  • T1505.003 Server Software Component: Web Shell

BlackByte ransomware abuses MSExchangeMailboxReplication.exe to place a webshell to establish a solid foothold in the victim’s network. 

Privilege Escalation

  • T1112 Modify Registry

BlackByte ransomware modifies registries to elevate privileges.

Commands used to modify the registry

Description

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Escalate local privilege

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

Enable OS to share network connections between different privilege levels

reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f

Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths

Defense Evasion

  • T1027.002 Obfuscated Files or Information: Software Packing

The BlackByte threat group uses obfuscation to make malware analysis difficult.

  • T1055 Process Injection

BlackByte ransomware injects a Cobalt Strike beacon into wuauclt.exe.

  • T1070.004 Indicator Removal on Host: File Deletion

BlackByte ransomware group deletes its executable after encryption to limit chances of analysis.

  • T1562.001 Impair Defenses or Modify Tools

BlackByte ransomware stops Windows Defender by using an obfuscated PowerShell command. It also deletes a scheduled task for Raccine, a tool used to prevent ransomware attacks.

Commands used for defense evasion

Description

powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('VwBpA'+'G4ARA B'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x"

Stop Windows Defender from executing on Startup

schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F

Delete scheduled task for Raccine Rules Updater.

 

  • T1562.004 Impair Defenses: Disable or Modify System Firewall

BlackByte threat actors change firewall rules to discover other assets in the victim’s network.

Commands used for defense evasion

Description

netsh advfirewall firewall set rule "group=\"Network Discovery\"" new enable=Yes

Enable network discovery

netsh advfirewall firewall set rule "group=\"File and Printer Sharing\"" new enable=Yes

Enable file and printer sharing

Credential Access

  • T1003 OS Credential Dumping

BlackByte group uses Cobalt Strike to dump credentials and access service accounts in the victim network.

Discovery

  • T1012 Query Registry

BlackByte ransomware checks the language settings by querying the related registries.

  • T1016 System Network Configuration Discovery
  • T1018 Remote System Discovery

BlackByte uses the following commands to discover other assets in the victim’s network.

Commands used for discovery

Description

net.exe view

Display a list of domains, computers, or resources that are being shared

arp.exe -a

Display the current ARP cache tables for all interface

Lateral Movement

  • T1021.002 Remote Services: SMB/Windows Admin Shares

BlackByte ransomware creates SMB shares to distribute AnyDesk, a remote desktop application, to other assets in the victim’s network using Cobalt Strike.

Collection

  • T1560.001 Archive Collected Data: Archive via Utility

BlackByte compresses the victim's file before exfiltration.

Command and Control (C2)

  • T1105 Ingress Tool Transfer

The BlackByte group transfers a Cobalt Strike beacon to the victim using the webshell they placed. After the beacon is placed, they transfer the AnyDesk application.

Exfiltration

  • T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

BlackByte ransomware sends victim’s compressed files to anonymous file-sharing services such as anonymfiles.com and file.io.

Impact

  • T1486 Data Encrypted for Impact

BlackByte uses symmetric key encryption to encrypt the victim’s files. Check out our blog post to learn more detail on this MITRE ATT&CK technique.

  • T1490 Inhibit System Recovery

BlackByte ransomware resizes and deletes volume shadow copies to prevent file recovery using built-in recovery services.

Commands used for Inhibit System Recovery

Description

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB 

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

Resize volume shadow copy sizes

powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x

Delete volume shadow copies


Decoded command:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

Indicators of Compromise (IOCs)

Command and Control Server IPs:

185.93.6.31

45.9.148.114

MD5 Hashes

4d2da36174633565f3dd5ed6dc5033c4

cd7034692d8f29f9146deb3641de7986

d63a7756bfdcd2be6c755bf288a92c8b

eed7357ab8d2fe31ea3dbcf3f9b7ec74

695e343b81a7b0208cbae33e11f7044c

296c51eb03e70808304b5f0e050f4f94

0c7b8da133799dd72d0dbe3ea012031e

a77899602387665cddb6a0f021184a2b

1473c91e9c0588f92928bed0ebf5e0f4

28b791746c97c0c04dcbfe0954e7173b

52b8ae74406e2f52fd81c8458647acd8

1785f4058c78ae3dd030808212ae3b04

b8e24e6436f6bed17757d011780e87b9

8dfa48e56fc3a6a2272771e708cdb4d2

4ce0bdd2d4303bf77611b8b34c7d2883

c010d1326689b95a3d8106f75003427c

ae6fbc60ba9c0f3a0fef72aeffcd3dc7

405cb8b1e55bb2a50f2ef3e7c2b28496

11e35160fc4efabd0a3bd7a7c6afc91b

659b77f88288b4874b5abe41ed36380d

151c6f04aeff0e00c54929f25328f6f7

959a7df5c465fcd963a641d87c18a565

5f40e1859053b70df9c0753d327f2cee

df7befc8cdc3c5434ef27cc669fb1e4b

51f2cf541f004d3c1fa8b0f94c89914a

d9e94f076d175ace80f211ea298fa46e

8320d9ec2eab7f5ff49186b2e630a15f

cea6be26d81a8ff3db0d9da666cd0f8f

31f818372fa07d1fd158c91510b6a077

d9e94f076d175ace80f211ea298fa46e

a9cf6dce244ad9afd8ca92820b9c11b9

7139415fecd716bec6d38d2004176f5d

c13bf39e2f8bf49c9754de7fb1396a33

ad29212716d0b074d976ad7e33b8f35f

d4aa276a7fbe8dcd858174eeacbb26ce

58e8043876f2f302fbc98d00c270778b

d2a15e76a4bfa7eb007a07fc8738edfb

e46bfbdf1031ea5a383040d0aa598d45

 

MD5

SHA-1

SHA-256

5c0a549ae45d9abe54ab662e53c484e2

f3574a47570cccebb1c502287e21218277ffc589

e837f252af30cc222a1bce815e609a7354e1f9c814baefbb5d45e32a10563759

9344afc63753cd5e2ee0ff9aed43dc56

ee1fa399ace734c33b77c62b6fb010219580448f

1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

e2eb5b57a8765856be897b4f6dadca18

c90f32fd0fd4eefe752b7b3f7ebfbc7bd9092b16

91f8592c7e8a3091273f0ccbfe34b2586c5998f7de63130050cb8ed36b4eec3e

Reference

[1] D. Goodin, “Hacking group is on a tear, hitting US critical infrastructure and SF 49ers,” Ars Technica, Feb. 14, 2022. [Online]. Available: https://arstechnica.com/information-technology/2022/02/hacking-group-is-on-a-tear-hitting-us-critical-infrastructure-and-sf-49ers/

[2] SpiderLabs, “GitHub - SpiderLabs/BlackByteDecryptor,” GitHub. [Online]. Available: https://github.com/SpiderLabs/BlackByteDecryptor

Subscribe

Keep up to date with latest blog posts