The BlackByte ransomware group, a significant and persistent threat in the ransomware-as-a-service (RaaS) ecosystem, has introduced a new iteration of its encryptor, further intensifying its attacks on organizations globally. Believed to be a splinter group from the infamous Conti gang, BlackByte’s recent activities demonstrate its relentless evolution and strategic shift in targeting methodologies. Cisco Talos, in its latest reports, has identified that BlackByte is now exploiting a newly patched security flaw in VMware ESXi hypervisors, particularly the CVE-2024-37085 authentication bypass vulnerability. This vulnerability allows the group to encrypt multiple virtual machines simultaneously, significantly increasing the impact of their attacks.
New Tactics, Techniques, and Procedures (TTPs)
In its latest campaigns, BlackByte has displayed several new tactics and techniques that mark a departure from its previous strategies. The group continues to exploit vulnerable drivers, a technique known as Bring Your Own Vulnerable Driver (BYOVD), to disable security protections and facilitate its attacks. Unlike previous versions, where BlackByte used two or three vulnerable drivers, the latest iteration of their encryptor deploys four, each following a specific naming convention (e.g., AM35W2PH, RtCore64.sys). These drivers are instrumental in disabling security defenses, allowing the ransomware to spread more effectively within the compromised network.
BlackByte also capitalizes on the victim’s authorized remote access mechanisms, such as VPNs, to infiltrate networks. This approach marks a slight shift from their earlier use of remote administration tools like AnyDesk, indicating a move towards more covert operations that are harder to detect. By exploiting valid credentials—often obtained through brute-force attacks—the group gains access to critical systems, including VMware vCenter servers. Once inside, they exploit the CVE-2024-37085 vulnerability to escalate privileges, create new accounts, and control virtual machines. This sophisticated level of access allows them to manipulate host server configurations, access system logs, and even modify performance monitoring tools, giving them comprehensive control over the victim’s infrastructure.
Moreover, BlackByte’s lateral movement within compromised networks is facilitated by using Server Message Block (SMB) and Remote Desktop Protocol (RDP). The attackers leverage stolen NTLM hashes for authentication, allowing them to propagate the ransomware across networked systems. The binary’s execution routine includes creating a service on the local system and scanning for network shares, which are then targeted for further infection. This method ensures widespread encryption across the victim’s network, maximizing the damage and increasing the likelihood of ransom payment.
Broader Impact and Targeted Industries
BlackByte’s attacks have had a significant impact across various sectors, with a particular focus on industries such as manufacturing, construction, transportation, warehousing, and professional services. The group’s modus operandi involves double extortion, where they not only encrypt files but also exfiltrate sensitive data. This stolen data is then used to pressure victims into paying the ransom, often under threat of public disclosure on their dark web data leak site. Interestingly, only about 20-30% of BlackByte’s victims are listed on this site, suggesting that many attacks go unreported due to factors such as ransom payments or strategic decisions by the attackers to maintain a lower profile.
The professional scientific and technical services sectors have shown the greatest exposure to the observed vulnerable drivers, accounting for 15% of the total attacks. This is closely followed by the manufacturing and educational services sectors, each comprising 13% of the attacks. The fact that such a small percentage of victims are publicly posted highlights the potential underreporting of incidents and the group’s selective approach to disclosing attacks.
Adaptation and Future Threats
BlackByte’s continuous refinement of its tactics, including its progression in programming languages from C# to more complex languages like Go and C/C++, represents a deliberate effort to enhance the resilience of their malware against detection and analysis. These languages enable the incorporation of advanced anti-analysis and anti-debugging techniques, making the ransomware more difficult for cybersecurity defenses to counter.
Furthermore, the group’s swift exploitation of the CVE-2024-37085 vulnerability shortly after its public disclosure underscores their agility in adopting newly discovered vulnerabilities into their arsenal. This rapid adaptation poses a significant challenge to organizations, which must quickly implement patches and update their security measures to stay ahead of such evolving threats.
Cybersecurity professionals must remain proactive in their defenses, continuously monitoring for new indicators of compromise and updating their security protocols to defend against BlackByte’s advanced tactics.
Purple Shield Security recommends these steps to help organizations mitigate the risks associated with BlackByte’s activities:
- Implement MFA: Enforce multi-factor authentication (MFA) for all remote access and cloud connections. Prioritize “verified push” as the preferred MFA method over less secure options like SMS or phone calls.
- Audit VPN Configuration: Regularly audit your VPN configuration to ensure legacy VPN policies are removed. Deny any authentication attempts that don’t match a current VPN policy by default. Additionally, restrict VPN access to only necessary network segments and services to limit the exposure of critical assets such as Domain Controllers.
- Set Up Alerts: Establish alerts for any changes in privileged groups. Monitor closely for the creation of new user groups or the addition of accounts to domain administrators. Always grant administrative privileges only when necessary, and routinely audit them afterward. Consider using a Privileged Access Management (PAM) solution to streamline the control and monitoring of privileged accounts.
- Limit NTLM Use: Minimize or disable NTLM usage wherever possible and enforce more secure authentication methods like Kerberos. Furthermore, limit the rate of authentication attempts and failures on both public-facing and internal interfaces to prevent automated authentication scanning.
- Disable SMBv1: Disable SMBv1 and enforce SMB signing and encryption to protect your network against lateral movement and malware propagation.
- Deploy EDR Clients: Deploy endpoint detection and response (EDR) clients to all systems throughout the environment. Set an administrator password on EDR clients to prevent unauthorized tampering or removal.
- Manage Vendor Accounts: Disable vendor accounts and remote access capabilities when not in active use to reduce potential entry points for attackers.
- Create Detections: Develop detections for unauthorized configuration changes across your environment. This includes monitoring changes to Windows Defender policies, unauthorized modifications to Group Policy Objects, and the creation of unusual scheduled tasks or installed services.
- Document Password Reset Procedures: Develop and document comprehensive procedures for enterprise password resets. Ensure these procedures allow for quick and complete resetting of all user credentials, including rolling critical Kerberos tickets.
- Harden and Patch ESX Hosts: Harden and patch your ESX hosts regularly to reduce their attack surface. Ensure newly discovered vulnerabilities are corrected as soon as possible to protect these critical servers.