BlackByte is utilizing Exbyte, a brand new {custom} exfiltration device, to steal knowledge. Discover ways to defend your group from this ransomware.
Symantec’s Risk Hunter Crew introduced Friday that an affiliate of the BlackByte ransomware-as-a-service group is utilizing the {custom} knowledge exfiltration device Infostealer.Exbyte to steal knowledge.
BlackByte is run by a cybercrime group that Symantec known as Hecamede. BlackByte flew beneath the radar till February 2022 when the FBI issued an alert stating that the group had attacked a number of entities within the U.S., together with at the very least three vital infrastructure suppliers. Symantec refers to each the BlackByte group and the BlackByte ransomware by the identical identify.
SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)
Following the departure of quite a few main ransomware operations akin to Conti and Sodinokibi, BlackByte has emerged as one of many ransomware actors to revenue from this hole available in the market. The truth that actors are actually creating {custom} instruments to be used in BlackByte ransomware assaults means that it could be on the best way to turning into one of many dominant ransomware threats. In current months, BlackByte has develop into one of the crucial often used payloads in ransomware assaults.
“It’s not essentially worse than all different ransomware, but it surely actually is among the many most often used ransomware payloads in the intervening time, together with Quantum, Hive, Noberus and AvosLocker,” stated Dick O’Brien, principal intelligence analyst at Symantec’s Risk Hunter Crew.
What’s the Exbyte ransomware device?
The Exbyte knowledge exfiltration device is written within the Go programming language and uploads pilfered information to the Mega.co.nz cloud storage service. When Exbyte executes, it checks to see whether it is operating in a sandbox; if it detects a sandbox, it’ll stop operating, making it onerous to search out, stated O’Brien.
This routine of checks is kind of much like the routine employed by the BlackByte payload itself, as Sophos lately documented.
Subsequent, Exbyte enumerates all doc information on the contaminated pc, akin to .txt, .doc and .pdf information, and saves the complete path and file identify to %APPDATApercentdummy. The information listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hard-coded into Exbyte.
Exbyte is just not the primary custom-developed knowledge exfiltration device to be linked to a ransomware operation. In November 2021, Symantec found Exmatter, an exfiltration device that was utilized by the BlackMatter ransomware operation and has since been utilized in Noberus assaults. Different examples embrace the Ryuk Stealer device and StealBit, which is linked to the LockBit ransomware.
What are BlackByte’s techniques, methods and procedures?
In current BlackByte assaults investigated by Symantec, the attackers exploited the ProxyShell (CVE-2021- 34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Alternate Servers to achieve preliminary entry.
Symantec additionally noticed attackers utilizing the publicly obtainable reconnaissance and question instruments AdFind, AnyDesk, NetScan and PowerView previous to deploying the ransomware payload.
“Figuring out and enumerating these instruments issues as a result of their use represents an early stage warning signal {that a} ransomware assault is in preparation,” stated O’Brien.
Latest assaults have used model 2.0 of the BlackByte payload. On execution, the ransomware payload itself seems to obtain and save debugging symbols from Microsoft. The command is executed straight from the ransomware.
The ransomware then checks the model data of ntoskrnl.exe.BlackByte after which proceeds with the removing of kernel notify routines; the aim of that is to bypass malware detection and removing merchandise. This performance carefully resembles the methods leveraged within the EDRSandblast device.
“It’s onerous to gauge how profitable [removing kernel notify routines] is, since this can be a identified approach and distributors will concentrate on it and sure launched mitigations,” stated O’Brien. “However it’s most likely truthful to say that it isn’t ineffective as a result of, if it have been, they wouldn’t be utilizing it.”
BlackByte makes use of VssAdmin to delete quantity shadow copies and resize storage allocation. The ransomware then modifies firewall settings to allow linked connections. Lastly, BlackByte injects itself into an occasion of svchost.exe, conducts file encryption after which deletes the ransomware binary on disk.
Methods to defend your group from BlackByte or mitigate its results
BlackByte is difficult to cease, but it surely’s not not possible, stated O’Brien.
“Every step on the assault is a chance to determine and block it,” he stated. “A protection in depth technique is all the time what works greatest, the place you’re using a number of detection applied sciences and don’t have a single level of failure. You want to not solely be capable to have the flexibility to determine malicious information but in addition determine malicious behaviors, since many attackers will use legit data.”
For the newest safety updates, please learn the Symantec safety bulletin.
