It has been observed that the threat actors behind the BlackByte ransomware group are likely exploiting a recently patched security flaw affecting VMware ESXi hypervisors, as well as using various vulnerable drivers to remove protections.
“The BlackByte ransomware group continues to use the tactics, techniques, and procedures (TTP) that have been at the core of its trade since its inception, constantly repeating the use of vulnerable drivers to bypass protections and deploying a self-propagating ransomware encryptor,” the statement said. Cisco Talos Technical Bulletin the report shared with The Hacker News.
Operation of CVE-2024-37085the authentication bypass vulnerability in VMware ESXi, which has also been exploited by other ransomware groups, is a sign that the cybercrime group is reversing established approaches.
BlackByte did debuted in the second half of 2021 and is believed to be one of the ransomware variants that appeared months before closing the infamous Conti ransomware crew.
The ransomware-as-a-service (RaaS) group has a history exploitation ProxyShell vulnerabilities in Microsoft Exchange Server to gain initial access while avoiding systems that use Russian and a number of Eastern European languages.
Like RaaS groups, it also uses leverage double extortion as part of the attacks, adopting a name-and-shame approach through a data-leak site operating on the dark web to make victims pay. Several variants of ransomware, written in C, .NET and Gohave been observed in the wild to date.
While a decoder for BlackByte was released by Trustwave in October 2021, the group continued to improve their way of working, even going so far as to use a special tool called ExByte to steal data before encryption begins.
Advisory released the US government in early 2022 attributed financially motivated attacks to the RaaS group targeting critical infrastructure sectors, including financial, food and agriculture, as well as government facilities.
One important aspect of their attacks is the use of vulnerable drivers to stop security processes and bypass controls, a technique known as impersonating a vulnerable driver (BEOD).
Cisco Talos, which investigated the recent BlackByte ransomware attack, said the intrusion was likely facilitated by the use of valid credentials to access the victim organization’s VPN. It is believed that the initial access was gained through a brute force attack.
“Given BlackByte’s history of exploiting open vulnerabilities for initial access, using a VPN for remote access may represent a slight shift in technique or opportunism,” said security researchers James Nutland, Craig Jackson, Terin Valikodat and Brennan Evans. “A victim’s use of a VPN for remote access also provides an adversary with other benefits, including reduced visibility from the organization’s EDR.”
The threat actor later managed to escalate his privileges by using permissions to access the organization’s VMware vCenter server to create and add new accounts to the Active Directory group called ESX Admins. This, Talos said, was done through exploitation CVE-2024-37085which allows an attacker to gain administrative rights to the hypervisor by creating a group with that name and adding any user to it.
This privilege can then be abused to manage virtual machines (VMs), change host server configuration, and gain unauthorized access to system logs, diagnostics, and performance monitoring tools.
Talos noted that exploitation of the flaw occurred within days of public disclosure, highlighting the speed with which threat actors are refining their tactics to incorporate newly discovered vulnerabilities into their arsenal and advance their attacks.
Additionally, recent BlackByte attacks end up overwriting encrypted files with the “blackbytent_h” file extension, with the encryptor removing four vulnerable drivers as part of BYOVD attack. All four drivers follow the same naming convention: eight random alphanumeric characters followed by an underscore and a numeric value –
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys also known as Terminator)
- AM35W2PH_3 (gdrv.sys)
The professional, scientific and technical services sectors are most affected by the observed vulnerabilities, accounting for 15% of the total, followed by manufacturing (13%) and educational services (13%). Talos also estimated that the threat actor is likely more active than it appears, and that only about 20-30% of victims post publicly, although the exact reason for this difference remains unclear.
“Promoting BlackByte in programming languages from C# to Go and then to C/C++ in latest version your coder – BlackByteNT – represents a deliberate attempt to make malware more resistant to detection and analysis,” the researchers said.
“Sophisticated languages such as C/C++ allow for the inclusion of advanced anti-analysis and anti-debugging techniques that have been seen in BlackByte’s tools during detailed analysis by other security researchers.”
The disclosure comes as Group-IB unpacks tactics associated with two other ransomware strains tracked as Brain Cipher and RansomHubhighlighting the former’s possible ties to ransomware groups such as EstateRansomware, SenSayQ and RebornRansomware.
“There are similarities in terms of style and content of the Brain Cipher ransom note with the SenSayQ ransomware,” Singapore-based cybersecurity firm. said. “The TOR websites of the Brain Cipher ransomware group and the SenSayQ ransomware group use similar technologies and scripts.”
On the other hand, RansomHub has been seen recruiting former Scattered Spider affiliates, a detail that was born for the first time last month. Most of the attacks targeted the healthcare, financial and public sectors in the US, Brazil, Italy, Spain and the UK
“For initial access, affiliates typically purchase compromised valid domain accounts from Initial Access Brokers (IABs) and external remote services,” Group-IB. saidadding “the accounts were purchased using the LummaC2 hijacker.”
“RansomHub’s tactics include using compromised domain accounts and public VPNs for initial access, followed by data theft and extensive encryption processes. Their recent introduction of a RaaS partner program and use of high redemption requirements illustrate their evolving and aggressive approach.”
