The Federal Bureau of Investigation (FBI) reports that at least three cyberattacks against critical infrastructure in the United States are related to groups operating the BlackByte ransomware. In a notice issued in collaboration with the U.S. Secret Service, the agency mentions that this ransomware as a service (RaaS) group has steadily grown to become a considerable threat.
This weekend, the NFL’s San Francisco 49ers confirmed that their systems were compromised during a cyberattack, just hours after the team’s name appeared on BlackByte’s dark web platform.
Some of these attacks were possible due to the exploitation of a known vulnerability in Microsoft Exchange Server, which allowed initial access to the affected systems. Once inside these targets, the attackers implemented lateral movement tools and performed privilege escalation attacks for the theft and encryption of information in the system.
Affected users will then find a ransom note in each directory or folder where encrypted files are stored. To negotiate with hackers and make the payment in cryptocurrency, victims will need to access a website hosted on the Tor network.
In their alert, the investigative and intelligence agencies claim that in some recorded attacks hackers only partially encrypt the information, so it is possible to remove the encryption to some extent. It was also discovered that some older versions of the BlackByte ransomware downloaded a PNG file before initiating encryption, although newer variants no longer communicate with external IP addresses.
The ransomware generates a process for injecting code and creating scheduled tasks to delete files and execute specific commands. The alert contains a list of indicators of compromise related to BlackByte attacks, plus multiple recommendations on possible mitigation mechanisms, including:
- Implementation of periodic backups of all your data
- Use network segmentation so that your devices are not accessible from any other machine
- Install and update antivirus software on all hosts and enable real-time threat detection
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.