BlackByte 2.0 ransomware attacks on the rise
A new report by Microsoft’s Incident Response team has found that there has been a surge in BlackByte 2.0 ransomware attacks. These attacks are characterized by their speed and destructiveness, with the threat actor able to complete the entire attack process in just five days.
The report found that BlackByte attackers use a variety of methods to achieve their goals, including exploiting unpatched Microsoft Exchange Servers, deploying web shells for remote access, using tools for persistence and reconnaissance, and deploying Cobalt Strike beacons for command and control.
In addition to encrypting data, BlackByte attackers also deploy backdoors that give them continued access to compromised systems. This allows them to steal sensitive data, install additional malware, or even launch other attacks using BlackByte2.0 ransomware.
The threat actor gained access by exploiting vulnerabilities in unpatched Microsoft Exchange Servers, especially CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. It began running from the IP address 220.127.116.11 and developed persistence by generating registry run keys that ran a payload upon user login after obtaining system-level access, enumerating user information, building web shells, and establishing remote control over the targeted systems.
The threat actor then used a backdoor file called api-msvc.dll to collect system data and send it to a command and control (C2) server located at hxxps://myvisit.alteksecurity.org/t. Another file, api-system.png, behaved similarly and used run keys for persistence. Persistence was achieved by using Cobalt Strike Beacon (sys.exe), which was downloaded from temp[.]sh and interacted with the C2 channel at 18.104.22.168:443.
Furthermore, the threat actor used the remote access programme AnyDesk, which was installed as a service to preserve persistence and assist network migration. The AnyDesk log reveals TOR and MULLVAD VPN connections.
The threat actor used the network discovery tool NetScan (netscan.exe and netapp.exe) and the Active Directory reconnaissance tool AdFind (f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e) to enumerate the network. Data staging and exfiltration were accomplished with the use of explorer.exe (Trojan:Win64/WinGoObfusc.LK!MT), a file that disabled Microsoft Defender Antivirus.
This ExByte file is a frequent tool in BlackByte ransomware attacks for gathering and exfiltrating files. Mimikatz is suspected of being exploited for credential theft, with stolen domain admin credentials being used for lateral movement through Remote Desktop Protocol (RDP) and PowerShell remoting.
Furthermore, BlackByte 2.0 ransomware is capable of evading antivirus programs and manipulating the Windows Firewall, registry, and current processes. It can also encrypt data on network shares and other ways to disguise its footprints and make analysis difficult.
The sources for this piece include an article in TheHackerNews.