The BlackByte ransomware group has been linked to multiple US, European, and Australian cyberattacks since July 2021. Attacks range from critical infrastructure providers to manufacturing, financial services, and most recently an American football team. It is believed that BlackByte is operating out of Russia, as the ransomware is designed to avoid organizations where Russian or other Commonwealth of Independent States languages are the system default.
As with any emerging threat, it's helpful to understand the primary steps that BlackByte takes in compromising target networks so that you can build a more effective defense strategy.
Initial Access
Similar to the Conti ransomware group, the BlackByte playbook focuses on exploiting known vulnerabilities in public-facing server infrastructures such as Exchange. Detecting exploitation attempts against public-facing infrastructures is complicated by the fact that traffic to and from these services is encrypted with the TLS protocol, obfuscating exploitation attempts from most detection systems.
Organizations should monitor and patch vulnerabilities targeting public-facing infrastructures including ProxyShell and ProxyLogon, which are commonly exploited by BlackByte. In addition, security teams should stay mindful and where possible examine encrypted traffic, including TLS 1.2 and 1.3 with perfect forward secrecy, ensuring that the attackers cannot hide their exploitation attempts.
Midgame
The BlackByte group, like many malicious actors, relies on toolkits like Cobalt Strike to provide the necessary modules for the post-exploitation or midgame phase of their attacks. During the midgame, an attacker has successfully compromised perimeter security and is focusing on internal reconnaissance, lateral movement, and privilege escalation. Penetration testing kits like Cobalt Strike provide command and control, reconnaissance, evasion, and privilege escalation tools in neatly bundled and easily automated packages.
By leveraging prepackaged tools and known attack techniques groups like BlackByte are able to rapidly move laterally compromising numerous systems and disabling security tooling like EDR and remote logging. Detection of these lateral movement and living-off-the-land techniques has always been difficult due to a lack of focus on internal network security tools and controls. To make a bad situation worse, many organizations are working to implement encryption on all internal traffic, creating an even bigger visibility gap that attackers can leverage to remain covert.
Midgame Defense Tactics that Stop BlackByte
Addressing this visibility and detection gap requires organizations to adopt a post-compromise mindset and security posture. SecOps teams must operate from the assumption that their network is already compromised and implement visibility and detection solutions such as strategic decryption. Decryption of commonly abused protocols like SMBv3, MS-RPC, NTLM, and Kerberos are critical to reducing an attacker's ability to operate unseen and help ensure the detection of malicious behavior.
Detection of lateral movement, network enumeration, and exploit attempts against internal services provide opportunities for security products to detect malicious activity. However, many SecOps teams are losing visibility into these techniques as organizations work to expand encryption to internal network traffic.
When responding to malicious attacks, the precision of response is critical. Ensuring response actions to stop the spread of malicious activity is necessary, but it is just as important to ensure that the response is precise enough to minimize any collateral impact to an organization's infrastructure.
Integrating security products like network detection and response (NDR), firewalls, endpoint detection and response (EDR), identity and access management (IAM), network access controls (NAC), and more can allow security teams to respond to malicious activity with greater precision.
Endgame, AKA Ransomware Event
Ransomware attacks take a variety of forms including encrypting local file systems and network file shares, typically exfiltrating information that is critical to business operations before encrypting them. This provides a number of potential detection opportunities for defenders.
The exfiltration of data to anonymous file-sharing sites is a late-stage indication of many ransomware attacks including BlackByte. BlackByte is known to upload large quantities of customer data that is later used to extort additional funds from their victims to file sharing sites including:
- Anonymfiles[.]com
- file[.]io.
Just like data staging and exfiltration the encryption of network file shares creates distinctive traffic patterns that security products can use to detect active ransomware. In the case of BlackByte, the ransomware also generates ransom notes containing instructions on how to contact the attackers, pay the ransom, and decrypt files.
IOCs associated with BlackByte include:
- BlackByte_restoremyfiles.hta - the ransomware note
- Encrypted files with the extension "*.blackbyte"
BlackByte Mitigation Strategies
Conventional ransomware prevention strategies often include better access controls and training users to identify phishing attempts. However, due to the complexity of implementing and managing access controls and the limited gains associated with user training these approaches have proven to be a necessary, but partially effective strategy.
Instead, it is critical that organizations understand that a layered approach to cybersecurity is necessary to defend against advanced attackers like BlackByte. Organizations must embrace a post-compromise security mindset with processes and tooling to detect attackers at every stage of the kill chain. This includes endpoint and network visibility tools which are necessary to detect intrusions and lateral movement, allowing SecOps to stop an attack before a full-scale breach. No single security solution is capable of addressing the breadth and depth of the modern threat landscape. As such it is critical to constantly evaluate an organization's defensive posture, and adapt as conditions change.
In addition to the steps above, and perhaps more importantly, organizations should harden their defenses by implementing good operational and security practices. The FBI and USSS Joint Cybersecurity Advisory outline some of the most important steps organizations should take to mitigate the risk of ransomware attacks.
The mitigation steps, as specified in the advisory, are as follows:
- Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus software on all hosts, and enable real time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.
- Ensure routine auditing is conducted for all accounts.
- Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.
Understanding the Ransomware Playbook
The endgoal of the modern ransomware playbook is to make money. Extorting payments from the organizations they target is sometimes only the first step in making money off of these nefarious activities. Selling stolen data to black market buyers is often a second revenue stream. However, as with any business, time equals money. The more difficult an organization is to break into, the more time attackers will have to spend researching and identifying points of vulnerability to exploit. The more time it takes an attacker to gain access to an organization's infrastructure, the less likely the organization will be targeted.
It is critical that organizational leadership and SecOps teams are aware of this calculus. The implementation and continual updating of robust mitigation, detection, and response strategies will significantly reduce the likelihood of cyberattacks including ransomware while ensuring that organizations have the necessary tools, policies, and procedures in place to respond to threats rapidly and effectively.
The reality is that, just like normal users and security operators, ransomware groups have needs that must be met in order to be successful. In order to obtain the privileges necessary to access the systems that store critical data attackers must establish command and control, recon the environment, identify weak points, and move laterally. At each step, security teams have an opportunity to detect and respond to ongoing threats before they result in costly breaches.