Researchers have detected that the group responsible for the BlackByte ransomware attack has likely been exploiting a recent fixed vulnerability affecting VMware ESXi hypervisors. They are also utilizing various vulnerable drivers to disable security features.
“The strategies employed by the BlackByte ransomware group continue to evolve, incorporating tactics, techniques, and procedures (TTPs) that have been central to their methods since the beginning. They consistently update their use of susceptible drivers to circumvent security measures and deploy a self-spreading, wormable ransomware encryptor,” stated Cisco Talos in a technical analysis shared with The Hacker News.
By exploiting CVE-2024-37085, a vulnerability that allows authentication bypass in VMware ESXi and has previously been utilized by other ransomware groups, the cybercrime group indicates a pivot from their traditional methods.
BlackByte first emerged in the latter part of 2021 and is said to be one of the ransomware variants that appeared just before the dismantling of the infamous Conti ransomware gang.
This ransomware-as-a-service (RaaS) group has a track record of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server to gain initial access, while avoiding systems that use Russian and various Eastern European languages.
Similar to RaaS groups, they also employ dual extortion as part of their attacks, using a nam-and-shame method through a dark web data leak site to compel victims to pay. Multiple versions of the ransomware, developed in C, .NET, and Go, have been seen in the wild.
Although Trustwave released a decryption tool for BlackByte in October 2021, the group has continued to enhance their techniques, even introducing a custom tool named ExByte for data exfiltration before starting encryption.
An advisory issued by the U.S. government in early 2022 attributed the RaaS group to financially motivated attacks on critical infrastructure sectors such as financial, food and agriculture, and government facilities.
A key aspect of their attacks is the utilization of vulnerable drivers to halt security processes and circumvent controls, a strategy known as bring your own vulnerable driver (BYOVD).
During a recent investigation of a BlackByte ransomware incident, Cisco Talos revealed that the intrusion likely began by using valid credentials to access the victim organization’s VPN. The initial access is believed to have been gained through a brute-force attack.
“Given BlackByte’s history of exploiting vulnerabilities in public-facing systems for initial access, the use of VPN for remote access could be indicative of a subtle change in technique or could simply be an opportunistic move,” noted security researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans. “Using the victim’s VPN for remote access also provides additional advantages to the adversary, including reduced visibility from the organization’s EDR.”
Subsequently, the threat actor escalated their privileges by exploiting the permissions to access the organization’s VMware vCenter server, where they created and added new accounts to an Active Directory group named ESX Admins. This was achieved by utilizing CVE-2024-37085, allowing an attacker to obtain administrator privileges on the hypervisor by forming a group with that name and adding any user to it.
These privileges could then be used to manipulate virtual machines (VMs), alter the host server’s configuration, and gain unauthorized access to system logs, diagnostics, and performance monitoring tools.
Talos emphasized that the exploitation of this vulnerability occurred shortly after it was made public, underscoring the rapid pace at which threat actors adapt.their strategies to integrate newly revealed vulnerabilities into their arsenal and enhance their offensives.
Moreover, the recent BlackByte onslaughts culminate in the encrypted files being reconfigured with the file extension “blackbytent_h,” along with the encryptor also dropping four susceptible drivers as part of the BYOVD attack. All of the four drivers adhere to a comparable naming pattern: Eight random alphanumeric characters followed by an underscore and a progressive numerical value –
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The professional, scientific, and technical services domains showcase the highest susceptibility to the identified vulnerable drivers, making up 15% of the total, followed by manufacturing (13%) and educational services (13%). Talos has additionally evaluated that the threat actor is probably more active than it seems, with only approximately 20-30% of victims being publicly disclosed, although the precise reason for this incongruity remains unclear.
“BlackByte’s evolution in programming languages from C# to Go and subsequently to C/C++ in the most recent iteration of its encryptor – BlackByteNT – indicates a purposeful move to enhance the malware’s resilience against detection and analysis,” as per the researchers.
“Sophisticated languages such as C/C++ allow for the integration of advanced anti-analysis and anti-debugging methods, which have been identified throughout the BlackByte toolkit during thorough examinations by other security analysts.”
The revelation surfaces as Group-IB dissects the methodologies linked with two other ransomware variants identified as Brain Cipher and RansomHub, underscoring the plausible connections of the former with ransomware factions like EstateRansomware, SenSayQ, and RebornRansomware.
“There exist parallels in style and content between the ransom note of Brain Cipher and those of SenSayQ ransomware,” said the Singaporean cybersecurity firm mentioned. “The TOR websites of Brain Cipher ransomware group and SenSayQ ransomware group employ similar technologies and scripts.”
Conversely, RansomHub has been witnessed enlisting former associates of Scattered Spider, a detail that surfaced initially last month. The majority of the assaults have targeted healthcare, finance, and governmental sectors in the U.S., Brazil, Italy, Spain, and the U.K.
“To gain initial entry, the affiliates typically procure compromised legitimate domain accounts from Initial Access Brokers (IABs) and external remote services,” Group-IB highlighted, adding that “these accounts have been acquired via LummaC2 stealer.”
“RansomHub’s techniques entail exploiting compromised domain accounts and public VPNs for initial access, followed by data extraction and extensive encryption procedures. Their recent launch of an RaaS affiliate program and utilization of high-demand ransom payments underscore their evolving and assertive strategy.”
About Author
