BlackByte, a ransomware-as-a-service (RaaS) operation
believed to be a spin-off of the notorious Conti, has been on the radar since
mid-to-late 2021. Recent findings by Talos, however, indicate that this threat
is far more active and sophisticated than previously understood.

Traditionally, researchers gauge ransomware activity by
monitoring leak sites where cybercriminals post data from their victims.
However, Talos has observed that BlackByte’s true impact is much larger. The
group appears to publicize only 20% to 30% of its victims, meaning many more
organizations could be suffering in silence.

Evolving Techniques

Talos’s latest investigation into BlackByte reveals that
while the ransomware continues to use familiar tools and methods, it has
introduced new tactics to evade detection and maximize damage. In a recent
incident, BlackByte gained access by brute-forcing an account with a weak
password through a VPN interface. This approach not only exploited a common
vulnerability but also minimized the chances of detection by the victim’s
Endpoint Detection and Response (EDR) system.

Once inside, the attackers moved quickly, compromising two
domain admin-level accounts and accessing the VMware vCenter server. They then
created Active Directory (AD) domain objects for ESXi hypervisors, effectively
joining those hosts to the domain. Talos believes this action was designed to
exploit the CVE-2024-37085 authentication bypass vulnerability—a flaw that
BlackByte and other groups have pounced on shortly after it was publicly
disclosed.

The attackers used various protocols like SMB and RDP to
access additional data, with NTLM employed for authentication. They also
tampered with security tool configurations via the system registry and
sometimes even uninstalled EDR systems. Talos observed a spike in NTLM
authentication and SMB connection attempts just before file encryption began,
suggesting these actions are part of the ransomware’s self-propagation
mechanism.

Data Exfiltration and Encryption

Although Talos couldn’t fully verify the methods used to
exfiltrate data, they suspect BlackByte used its custom tool, ExByte, to carry
out this task. This aligns with the behavior seen in other ransomware incidents
reported by companies like Microsoft, DuskRise, and Acronis.

Talos has also identified new features in BlackByte’s
encryption process. All encrypted files now carry the extension
‘blackbytent_h’. Moreover, the latest version of the ransomware drops four
vulnerable drivers during an attack, employing a Bring Your Own Vulnerable
Driver (BYOVD) tactic. Previous versions deployed only two or three drivers,
signaling an increase in the ransomware’s complexity.

Further complicating matters is BlackByte’s shift in
programming languages. The ransomware has evolved from C# to Go, and most
recently to C/C++ in its latest iteration, BlackByteNT. This progression
enables more advanced anti-analysis and anti-debugging techniques, making the
ransomware harder to study and neutralize.

Mitigation Strategies

Containing and eradicating BlackByte is challenging due to
its sophisticated tactics, especially the BYOVD technique, which hampers the
effectiveness of traditional security controls. However, Talos offers some
actionable advice: since this version of BlackByte relies on built-in
credentials stolen from the victim’s environment, an enterprise-wide reset of
user credentials and Kerberos tickets can be an effective containment strategy.
Additionally, reviewing SMB traffic during an attack can help identify the
specific accounts used to spread the infection across the network.

For a detailed analysis of BlackByte’s new tactics and
defensive recommendations, review Talos’s full report, which includes a MITRE
ATT&CK mapping for the latest techniques and a list of indicators of
compromise (IoCs).