Modus operandi of BlackByte ransomware
We are living in an era where ransomware is a trending topic. BlackByte is a piece of ransomware that takes advantage of Proxyshell vulnerabilities to gain initial access. This article will learn about this ransomware, how it operates, describe the most important tactics, techniques and procedures (TTP), and guide on ransomware protection.
BlackByte has been a data encryption malware targeting organizations in the wild since July 2021. As mentioned by redcanary experts, the authors behind the ransomware have exploited ProxyShell vulnerabilities present on Microsoft Exchange servers to gain internal access via CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.
As the exploits can drop a file into a specific Operating System (OS) path, criminals use it to create a web shell ASPX to initiate the infection chain.
Figure 1: Web shell dropped into the target path via ProxyShell.
After obtaining the initial foothold, criminals drop a CobalStrike beacon in the form of a Portable Executable File (EXE) that is used to spawn the ransomware and start the encryption process.
Figure 2: CobalStrike beacon used to spawn the ransomware.
Digging into the BlackByte details
At first glance, the ransomware files impersonate Amazon Corp., as observed in Figure 3.
Figure 3: BlackByte ransomware details.
The file has a high entropy (8.0), a clear sign the file is protected with the UPX packer, as observed below. Malware creators often use this kind of approach to hide binary strings, import and export tables, Windows API calls, and so on.
Figure 4: BlackByte ransomware protected by UPX packer.
The following images present the comparison between the packed vs. unpacked BlackByte ransomware file. The protected file has only six calls on the import address table and four from the Kernel32.dll. A scenario with few calls listed on the IAT indicates that a packer was used to obfuscate data.
On the other hand, after unpacking it, 111 API calls and 12 binary sections were listed, allowing us a precise static and dynamic analysis of the ransomware file from this point.
Figure 5: Packed vs. unpacked BlackByte ransomware sample.
After executing the ransomware file in memory, some validations are performed. If the language of the target system is the same as the hardcoded codes, then the ransomware terminates its operation. The complete list is presented below.
Figure 6: BlackByte hardcoded languages; when a match happens, the ransomware terminates.
As observed on other threats of this nature, BlackByte ransomware disables some services and stops target processes before starting the encryption process. This is a well-known TTP used by criminals to avoid errors during the ransomware operation, as opened files or processes cannot be encrypted and accessed by other programs in run-time.
The list of disabled services and all the hardcoded processes to terminate can be found below.
Figure 7: List of disabled services.
Figure 8: List of all the processes terminated during the BlackByte ransomware execution.
BlackByte tries to escalate privileges on the internal network by using three different steps, namely:
- By elevating local privileges on the registry
- Enabling the setting to share network connections between different privilege levels; and
- Setting up long path values for file paths, names, and namespaces ensures that all file names are encrypted without errors.
In addition, BlackByte executes network reconnaissance, including queries to the Active Directory for all of the collected computer hostnames.
The "Raccine Rules Updater" point
An interesting behavior observed during the ransomware execution is creating a new thread responsible for deleting the scheduled task "Raccine Rules Updater" and disabling the SQLTelemetry service. Raccine is a ransomware vaccine created by Florian Roth and capable of intercepting and preventing precursors and active ransomware behavior.
Figure 9: BackByte tries to remove the Raccine task during its execution.
The encryption process
According to the Trustwave research, seconds before the encryption process starts, BlackByte tries to download a .png file from a hardcoded domain that contains an AES key to be used as the encryption key. If the connection fails, the ransomware process crashes.
Figure 10: AES key (symmetric key) used during the encryption process.
The ransom note is created during the encryption process containing instructions on how to contact criminals. The file is an HTA file called "BlackByte_restoremyfiles.hta" as observed below.
Figure 11: BlackByte ransomware note file with all the instructions.
All the damaged files have the" .blackbyte" extension associated. For instance, the file "a.txt" is renamed to "a.txt.blackbyte" and so on.
Figure 12: Example of damaged files after running the BlackByte ransomware.
Finally, BackByte executes living-off-the-land commands to delete all the shadow copies, Windows restore points, disable network discovery, change permissions on files and delete the recycle bin folder. The complete list of commands can be found below.
Figure 13: List of commands executed by BlackByte during its execution.
BlackByte ransomware
Ransomware is an emerging threat that has increased in volume and sophistication in recent years. BlackByte is one of the active data encryption malware types operated by criminals in the wild, and that is using known vulnerabilities to gain initial access and impact organizations worldwide.
Although there is no magic way to stop ransomware in general, sometimes the malware authors introduce some weaknesses during the development of their software which can be used to minimize the impact of a cyberattack by security specialists.
Within the context of the BlackByte ransomware, the experts from Trustwave explained the downloaded png with the AES encryption key is used in both the encryption and decryption process (see Figure 10). As the same file was used to compromise different organizations worldwide, Trustwave uses that key to create a decryptor that can recover the victim's files for free.
Source: https://github.com/SpiderLabs/BlackByteDecryptor
The command lines on how to use the decryption can be found on the GitHub page, and now, all the affected victims can recover their files without paying the ransom.
Sources:
- Ransomware analysis, RedCanary
- Blackbyte TTPs, Trustwave
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Modus operandi of BlackByte ransomware
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis