The risk actors behind the BlackByte ransomware group have been noticed seemingly exploiting a not too long ago patched safety flaw impacting VMware ESXi hypervisors, whereas additionally leveraging numerous weak drivers to disarm safety protections.
“The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor,” Cisco Talos stated in a technical report shared with The Hacker Information.
The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi that has additionally been weaponized by different ransomware teams, is an indication that the e-crime group is pivoting from established approaches.
BlackByte made its debut within the second half of 2021 and is presupposed to be one of many ransomware variants to have emerged within the months main as much as shutdown of the notorious Conti ransomware crew.
The ransomware-as-a-service (RaaS) group has a historical past of exploiting ProxyShell vulnerabilities in Microsoft Change Server to acquire preliminary entry, whereas avoiding techniques that use Russian and various Japanese European languages.
Like RaaS teams, it additionally leverages double extortion as a part of assaults, adopting a name-and-shame method through an information leak web site operated on the darkish internet to pressurize victims into paying up. A number of variants of the ransomware, written in C, .NET, and Go, have been noticed within the wild so far.
Whereas a decryptor for BlackByte was launched by Trustwave in October 2021, the group has continued to refine its modus operandi, even going to the extent of using a customized device named ExByte for knowledge exfiltration previous to commencing encryption.
An advisory launched by the U.S. authorities in early 2022 attributed the RaaS group to financially motivated assaults concentrating on crucial infrastructure sectors, together with monetary, meals and agriculture, and authorities amenities.
One of many necessary elements of their assaults is the usage of weak drivers to terminate safety processes and bypass controls, a way often known as convey your individual weak driver (BYOVD).
Cisco Talos, which investigated a latest BlackByte ransomware assault, stated the intrusion was seemingly facilitated utilizing legitimate credentials to entry the sufferer group’s VPN. It is believed that the preliminary entry was obtained via a brute-force assault.
“Given BlackByte’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access may represent a slight shift in technique or could represent opportunism,” safety researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans stated. “The use of the victim’s VPN for remote access also affords the adversary other advantages, including reduced visibility from the organization’s EDR.”
The risk actor subsequently managed to escalate their privileges, utilizing the permissions to entry the group’s VMware vCenter server to create and add new accounts to an Lively Listing group named ESX Admins. This, Talos stated, was executed by exploiting CVE-2024-37085, which allows an attacker to achieve administrator privileges on the hypervisor by creating a bunch with that title and including any person to it.
This privilege might then be abused to regulate digital machines (VMs), modify host server’s configuration, and achieve unauthorized entry to system logs, diagnostics, and efficiency monitoring instruments.
Talos identified that the exploitation of the flaw occurred inside days of public disclosure, highlighting the velocity at which risk actors refine their techniques to include newly disclosed vulnerabilities into their arsenal and advance their assaults.
Moreover, the latest BlackByte assaults culminate with the encrypted recordsdata being rewritten with the file extension “blackbytent_h,” with the encryptor additionally dropping 4 weak drivers as a part of the BYOVD assault. All of the 4 drivers comply with the same naming conference: Eight random alphanumeric characters adopted by an underscore and an incremental numerical worth –
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The skilled, scientific, and technical companies sectors have the best publicity to the noticed weak drivers, accounting for 15% of the whole, adopted by manufacturing (13%) and academic companies (13%). Talos has additionally assessed that the risk actor is probably going extra energetic than what it seems to be, and that solely an estimated 20-30% of victims are publicly posted, though the precise motive for this disparity stays unclear.
“BlackByte’s development in programming languages from C# to Go and subsequently to C/C++ within the newest model of its encryptor – BlackByteNT – represents a deliberate effort to extend the malware’s resilience towards detection and evaluation,” the researchers stated.
“Complex languages like C/C++ allow for the incorporation of advanced anti-analysis and anti-debugging techniques, which have been observed across the BlackByte tooling during detailed analysis by other security researchers.”
The disclosure comes as Group-IB unpacked the techniques related to two different ransomware strains tracked as Mind Cipher and RansomHub, underscoring the potential connections of the previous with ransomware teams akin to EstateRansomware, SenSayQ, and RebornRansomware.
“There are similarities in terms of style and content of the Brain Cipher’s ransom note to those by SenSayQ ransomware,” the Singaporean cybersecurity firm stated. “The TOR websites of Brain Cipher ransomware group and SenSayQ ransomware group use similar technologies and scripts.”
RansomHub, then again, has been noticed recruiting former associates of Scattered Spider, a element that first got here to gentle final month. A majority of the assaults have focused healthcare, finance, and authorities sectors within the U.S., Brazil, Italy, Spain, and the U.Ok.
“For initial access the affiliates usually purchase compromised valid domain accounts from Initial Access Brokers (IABs) and external remote services,” Group-IB stated, including the “accounts have been acquired via LummaC2 stealer.”
“RansomHub’s tactics include leveraging compromised domain accounts and public VPNs for initial access, followed by data exfiltration and extensive encryption processes. Their recent introduction of a RaaS affiliate program and use of high-demand ransom payments illustrate their evolving and aggressive approach.”
