The risk actors behind the BlackByte ransomware group have been noticed probably exploiting a not too long ago patched safety flaw impacting VMware ESXi hypervisors, whereas additionally leveraging numerous susceptible drivers to disarm safety protections.
“The BlackByte ransomware group continues to leverage ways, methods, and procedures (TTPs) which have shaped the inspiration of its tradecraft since its inception, repeatedly iterating its use of susceptible drivers to bypass safety protections and deploying a self-propagating, wormable ransomware encryptor,” Cisco Talos stated in a technical report shared with The Hacker Information.
The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi that has additionally been weaponized by different ransomware teams, is an indication that the e-crime group is pivoting from established approaches.
BlackByte made its debut within the second half of 2021 and is presupposed to be one of many ransomware variants to have emerged within the months main as much as shutdown of the notorious Conti ransomware crew.
The ransomware-as-a-service (RaaS) group has a historical past of exploiting ProxyShell vulnerabilities in Microsoft Change Server to acquire preliminary entry, whereas avoiding methods that use Russian and quite a lot of Japanese European languages.
Like RaaS teams, it additionally leverages double extortion as a part of assaults, adopting a name-and-shame method through an information leak website operated on the darkish internet to pressurize victims into paying up. A number of variants of the ransomware, written in C, .NET, and Go, have been noticed within the wild to this point.
Whereas a decryptor for BlackByte was launched by Trustwave in October 2021, the group has continued to refine its modus operandi, even going to the extent of using a customized software named ExByte for knowledge exfiltration previous to commencing encryption.
An advisory launched by the U.S. authorities in early 2022 attributed the RaaS group to financially motivated assaults concentrating on crucial infrastructure sectors, together with monetary, meals and agriculture, and authorities amenities.
One of many necessary elements of their assaults is using susceptible drivers to terminate safety processes and bypass controls, a way often known as carry your individual susceptible driver (BYOVD).
Cisco Talos, which investigated a latest BlackByte ransomware assault, stated the intrusion was probably facilitated utilizing legitimate credentials to entry the sufferer group’s VPN. It is believed that the preliminary entry was obtained by way of a brute-force assault.
“Given BlackByte’s historical past of exploiting public-facing vulnerabilities for preliminary entry, using VPN for distant entry might signify a slight shift in method or might signify opportunism,” safety researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans stated. “Using the sufferer’s VPN for distant entry additionally affords the adversary different benefits, together with lowered visibility from the group’s EDR.”
The risk actor subsequently managed to escalate their privileges, utilizing the permissions to entry the group’s VMware vCenter server to create and add new accounts to an Energetic Listing group named ESX Admins. This, Talos stated, was completed by exploiting CVE-2024-37085, which allows an attacker to achieve administrator privileges on the hypervisor by creating a gaggle with that title and including any person to it.
This privilege might then be abused to regulate digital machines (VMs), modify host server’s configuration, and acquire unauthorized entry to system logs, diagnostics, and efficiency monitoring instruments.
Talos identified that the exploitation of the flaw passed off inside days of public disclosure, highlighting the pace at which risk actors refine their ways to include newly disclosed vulnerabilities into their arsenal and advance their assaults.
Moreover, the latest BlackByte assaults culminate with the encrypted information being rewritten with the file extension “blackbytent_h,” with the encryptor additionally dropping 4 susceptible drivers as a part of the BYOVD assault. All of the 4 drivers comply with the same naming conference: Eight random alphanumeric characters adopted by an underscore and an incremental numerical worth –
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The skilled, scientific, and technical companies sectors have the best publicity to the noticed susceptible drivers, accounting for 15% of the full, adopted by manufacturing (13%) and academic companies (13%). Talos has additionally assessed that the risk actor is probably going extra lively than what it seems to be, and that solely an estimated 20-30% of victims are publicly posted, though the precise cause for this disparity stays unclear.
“BlackByte’s development in programming languages from C# to Go and subsequently to C/C++ within the newest model of its encryptor – BlackByteNT – represents a deliberate effort to extend the malware’s resilience towards detection and evaluation,” the researchers stated.
“Complicated languages like C/C++ permit for the incorporation of superior anti-analysis and anti-debugging methods, which have been noticed throughout the BlackByte tooling throughout detailed evaluation by different safety researchers.”
The disclosure comes as Group-IB unpacked the ways related to two different ransomware strains tracked as Mind Cipher and RansomHub, underscoring the potential connections of the previous with ransomware teams akin to EstateRansomware, SenSayQ, and RebornRansomware.
“There are similarities when it comes to model and content material of the Mind Cipher’s ransom notice to these by SenSayQ ransomware,” the Singaporean cybersecurity firm stated. “The TOR web sites of Mind Cipher ransomware group and SenSayQ ransomware group use comparable applied sciences and scripts.”
RansomHub, alternatively, has been noticed recruiting former associates of Scattered Spider, a element that first got here to gentle final month. A majority of the assaults have focused healthcare, finance, and authorities sectors within the U.S., Brazil, Italy, Spain, and the U.Ok.
“For preliminary entry the associates often buy compromised legitimate area accounts from Preliminary Entry Brokers (IABs) and exterior distant companies,” Group-IB stated, including the “accounts have been acquired through LummaC2 stealer.”
“RansomHub’s ways embody leveraging compromised area accounts and public VPNs for preliminary entry, adopted by knowledge exfiltration and intensive encryption processes. Their latest introduction of a RaaS associates program and use of high-demand ransom funds illustrate their evolving and aggressive method.”