Cyber Chameleons: Why Ransomware Groups like BlackByte Must Evolve to Survive

Overview

BlackByte is a ransomware-as-a-service (RaaS) group that emerged in July 2021. Initially catching the attention of the FBI and U.S. Secret Service for targeting critical infrastructure sectors, BlackByte has adapted to remain effective and profitable in the ever-evolving cybersecurity landscape. This group continues to target organizations globally with a diverse focus on sectors ranging from small businesses to government entities.

Adapt or Perish

In its two years of activity, BlackByte has undergone significant evolution. Initially written in C#, the ransomware introduced multiple variants over time, including versions coded in Go. The early variants relied on AES Symmetric encryption with a consistent key. However, security professionals released a decryptor, prompting the operators to update their encryption approach using multiple keys per session, without external communication.

BlackByte’s infiltration and navigation of victim networks have maintained a degree of consistency. They continue to exploit ProxyShell vulnerabilities for initial access to Microsoft Exchange servers. The group’s persistence and lateral movement strategies involve the use of web shells, Cobalt Strike, AnyDesk, and the NetScan utility for network and host discovery. While the ransomware exhibits recurring features, such as automatic propagation across networks, process hollowing, firewall tampering, volume shadow copy manipulation, registry changes for privileged execution, and robust anti-analysis techniques.

Over time, subtle but noteworthy changes have emerged. These include the adoption of AdFind for domain discovery, the use of RDP and PowerShell for lateral movement, and the deployment of credential collection and abuse tool Mimikatz. Notably, BlackByte shifted from using rar for data collection to a bespoke tool named ExByte, equipped with hardcoded credentials for MEGA.nz for API-based uploads. Additionally, the malware has adjusted its evasion tactics, employing exploits like CVE-2049-16098 to evade security defenses. While this is not an exhaustive list of changes, it demonstrates the group’s ability to adapt and innovate, ensuring its relevance in the realm of cybercrime.

Conclusion

BlackByte’s evolution presents an interesting case study within the realm of cybercrime, showcasing their remarkable adaptability and innovation in response to the ever-changing cybersecurity landscape. Surviving as a cybercriminal group in today’s digital arena speaks not only to their audacity but also their agility. BlackByte understands that simply lingering in the shadows of their predecessors or relying on past tactics will not suffice to maintain relevance. They recognized that the cybersecurity landscape is in a constant state of flux, with defenders becoming increasingly proficient at thwarting traditional ransomware techniques.

In essence, BlackByte’s journey mirrors the enduring cat-and-mouse game played out between cybercriminals and cybersecurity experts, highlighting the dynamic nature of cyber threats. As long as the cybercriminal ecosystem remains lucrative and motivated, groups like BlackByte will persist in evolving, relentlessly pushing the boundaries of innovation in their pursuit of illicit gains. However, this ongoing evolution underscores the critical role played by the cybersecurity community, law enforcement agencies, and organizations worldwide. Their collaborative and adaptive efforts are essential in staying ahead of these threats. It serves as a reminder that the battle against cybercrime is an ongoing one, demanding constant vigilance and cooperation to ensure a safer digital future. Ultimately, the lasting relevance of groups like BlackByte hinges on their ability to outsmart not only their victims but also a united front of cyber defenders committed to safeguarding the digital realm.

_______________________________________________________________________________________________________________ 

The CRITICALSTART® Cyber Research Unit will continue to monitor the situation and work closely with the SOC and Security Engineering team to implement any relevant detections. For future updates the CTI team will post updates via Cyber Operations Risk & Response™ Bulletins and on the Critical Start Intelligence Hub.

References: 


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form