Threat Research

Dark Web Profile: BlackByte Ransomware – SOCRadar® Cyber Intelligence Inc.

Securonix

The article analyzes BlackByte, a Russian-based ransomware operation operating as a RaaS that uses double-extortion and has evolved its techniques since 2021, including a shift from C# to GoLang and the use of legitimate tools. It also highlights notable incidents (such as the San Francisco 49ers breach) and outlines security defenses like offline backups and attack surface management. #BlackByte #SOCRadar #ProxyLogon #GoLang #WinRAR #AnyDesk #FBI #USSecretService #SanFrancisco49ers

Keypoints

  • BlackByte is a Russian-based ransomware operation operating as a ransomware-as-a-service (RaaS) using double-extortion to pressure victims.
  • Targets span manufacturing, education, healthcare, and other sectors across more than 30 countries, with the US as a primary target.
  • Initial access relies on phishing and known vulnerabilities (e.g., ProxyLogon); data is exfiltrated before encryption using WinRAR and file-sharing sites, and AnyDesk is used to gain footholds.
  • The encryption approach evolved from earlier variants with a single key (AES) to newer variants using GoLang, complicating static analysis.
  • A decryptor and a file named forest.png were discussed, revealing multiple keys and the AES key used for encryption; researchers warned that some decryptor approaches could damage files if keys are misused.
  • Time-to-pay decreased from 30 days to 12 days; notable victims include the San Francisco 49ers, with reported data breaches affecting thousands of individuals.

MITRE Techniques

  • [T1598] Phishing for Information – ‘Like most ransomware groups, they leverage phishing for initial access.’
  • [T1190] Exploit Public-Facing Application – ‘phishing and known vulnerabilities, such as ProxyLogon, for initial access.’
  • [T1560.001] Archive Collected Data: Archive via Utility – ‘exfiltrate data before the encryption leveraging WinRAR and file-sharing sites.’
  • [T1562.001] Impair Defenses: Disable or Modify Tools – ‘BlackByte software also disables Microsoft Defender software before encrypting files on targeted systems.’
  • [T1570] Lateral Tool Transfer – ‘it has a wormable feature that can infect another from the infected system.’
  • [T1486] Data Encrypted for Impact – ‘to encrypt files on targeted systems.’

Indicators of Compromise

  • [File] forest.png – forest.png contains the AES encryption key used to encrypt a device, and related key material
  • [File] blackbyte-ransom-note.png – ransom note image used by the attackers
  • [Domain] github.com – free decryptor for the first variant released on GitHub

Read more: https://socradar.io/dark-web-profile-blackbyte-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint