The risk actors behind the BlackByte ransomware group have been noticed seemingly exploiting a lately patched security flaw impacting VMware ESXi hypervisors, whereas additionally leveraging varied susceptible drivers to disarm security protections.
“The BlackByte ransomware group continues to leverage techniques, methods, and procedures (TTPs) which have fashioned the muse of its tradecraft since its inception, repeatedly iterating its use of susceptible drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor,” Cisco Talos mentioned in a technical report shared with The Hacker Information.
The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi that has additionally been weaponized by different ransomware teams, is an indication that the e-crime group is pivoting from established approaches.
BlackByte made its debut within the second half of 2021 and is presupposed to be one of many ransomware variants to have emerged within the months main as much as shutdown of the notorious Conti ransomware crew.
The ransomware-as-a-service (RaaS) group has a historical past of exploiting ProxyShell vulnerabilities in Microsoft Trade Server to acquire preliminary entry, whereas avoiding methods that use Russian and various Jap European languages.
Like RaaS teams, it additionally leverages double extortion as a part of assaults, adopting a name-and-shame method through a knowledge leak website operated on the darkish net to pressurize victims into paying up. A number of variants of the ransomware, written in C, .NET, and Go, have been noticed within the wild to this point.
Whereas a decryptor for BlackByte was launched by Trustwave in October 2021, the group has continued to refine its modus operandi, even going to the extent of using a customized device named ExByte for information exfiltration previous to commencing encryption.
An advisory launched by the U.S. authorities in early 2022 attributed the RaaS group to financially motivated assaults focusing on crucial infrastructure sectors, together with monetary, meals and agriculture, and authorities services.
One of many essential points of their assaults is using susceptible drivers to terminate security processes and bypass controls, a method often known as deliver your individual susceptible driver (BYOVD).
Cisco Talos, which investigated a latest BlackByte ransomware assault, mentioned the intrusion was seemingly facilitated utilizing legitimate credentials to entry the sufferer group’s VPN. It is believed that the preliminary entry was obtained by means of a brute-force assault.
“Given BlackByte’s historical past of exploiting public-facing vulnerabilities for preliminary entry, using VPN for distant entry could characterize a slight shift in approach or might characterize opportunism,” security researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans mentioned. “The usage of the sufferer’s VPN for distant entry additionally affords the adversary different benefits, together with diminished visibility from the group’s EDR.”
The risk actor subsequently managed to escalate their privileges, utilizing the permissions to entry the group’s VMware vCenter server to create and add new accounts to an Lively Listing group named ESX Admins. This, Talos mentioned, was completed by exploiting CVE-2024-37085, which allows an attacker to achieve administrator privileges on the hypervisor by creating a gaggle with that title and including any person to it.
This privilege might then be abused to manage digital machines (VMs), modify host server’s configuration, and acquire unauthorized entry to system logs, diagnostics, and efficiency monitoring instruments.
Talos identified that the exploitation of the flaw passed off inside days of public disclosure, highlighting the velocity at which risk actors refine their techniques to include newly disclosed vulnerabilities into their arsenal and advance their assaults.
Moreover, the latest BlackByte assaults culminate with the encrypted recordsdata being rewritten with the file extension “blackbytent_h,” with the encryptor additionally dropping 4 susceptible drivers as a part of the BYOVD assault. All of the 4 drivers comply with an analogous naming conference: Eight random alphanumeric characters adopted by an underscore and an incremental numerical worth –
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The skilled, scientific, and technical companies sectors have the best publicity to the noticed susceptible drivers, accounting for 15% of the entire, adopted by manufacturing (13%) and academic companies (13%). Talos has additionally assessed that the risk actor is probably going extra lively than what it seems to be, and that solely an estimated 20-30% of victims are publicly posted, though the precise cause for this disparity stays unclear.
“BlackByte’s development in programming languages from C# to Go and subsequently to C/C++ within the newest model of its encryptor – BlackByteNT – represents a deliberate effort to extend the malware’s resilience towards detection and evaluation,” the researchers mentioned.
“Complicated languages like C/C++ permit for the incorporation of superior anti-analysis and anti-debugging methods, which have been noticed throughout the BlackByte tooling throughout detailed evaluation by different security researchers.”
The disclosure comes as Group-IB unpacked the techniques related to two different ransomware strains tracked as Mind Cipher and RansomHub, underscoring the potential connections of the previous with ransomware teams resembling EstateRansomware, SenSayQ, and RebornRansomware.
“There are similarities when it comes to fashion and content material of the Mind Cipher’s ransom be aware to these by SenSayQ ransomware,” the Singaporean cybersecurity firm mentioned. “The TOR web sites of Mind Cipher ransomware group and SenSayQ ransomware group use comparable applied sciences and scripts.”
RansomHub, however, has been noticed recruiting former associates of Scattered Spider, a element that first got here to mild final month. A majority of the assaults have focused healthcare, finance, and authorities sectors within the U.S., Brazil, Italy, Spain, and the U.Ok.
“For preliminary entry the associates often buy compromised legitimate area accounts from Preliminary Entry Brokers (IABs) and exterior distant companies,” Group-IB mentioned, including the “accounts have been acquired through LummaC2 stealer.”
“RansomHub’s techniques embody leveraging compromised area accounts and public VPNs for preliminary entry, adopted by information exfiltration and in depth encryption processes. Their latest introduction of a RaaS associates program and use of high-demand ransom funds illustrate their evolving and aggressive method.”
