top of page

BlackByte Ransomware Targets Critical Infrastructure


The FBI and US Secret Service released an advisory regarding BlackByte ransomware, which compromised multiple US and foreign businesses, including three entities that are part of US critical infrastructure. These three unnamed entities belonged to the government, financial, and food and agriculture verticals. The threat actors behind BlackByte also claimed they hacked networks belonging to the San Francisco 49ers in mid-February 2022.



BlackByte was observed in the wild as early as July 2021 and appears to be operated as a ransomware as a service (RaaS) model. The FBI and Secret Service advisory states BlackByte targets Windows systems and encrypts files on both physical and virtual servers. In some cases, the initial infection vector was an unspecified Microsoft Exchange Server vulnerability. A late 2021 blog post by Red Canary noted BlackByte using ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 to gain initial access.


Trustwave profiled BlackByte ransomware in late 2021, after discovering the malware during incident response. They noted several defining characteristics of BlackByte ransomware:


The JScript launcher for BlackByte uses what appears to be garbage code to obfuscate the real code.


BlackByte is a ransomware family that, like REvil and several others, avoids infecting machines using Russian or ex-USSR language packs.


BlackByte’s worm functionality is similar to that of Ryuk ransomware.


BlackByte creates a wake-on-LAN magic packet to send to the victim machine to make sure it is alive during the infection process.


The threat actors responsible for BlackByte hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension.


The threat actors included a feature triggering a crash if the program fails to download the encryption key.


BlackByte uses an RSA public key embedded in the body only once to encrypt the raw key to display in the ransom note.


BlackByte only uses one symmetric AES key for file encryption.


Despite BlackByte having no exfiltration functionality, it links the victim to an auction site to scare the victim into paying ransom to avoid data leaks.


According to the government advisory, a newer version of BlackByte encrypts without communicating with any external IP addresses, and process injection has been observed on processes it creates.


Trustwave has provided a decryption key for BlackByte.


IOCs


PolySwarm has multiple samples associated with BlackByte ransomware.


Hashes


1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad


91f8592c7e8a3091273f0ccbfe34b2586c5998f7de63130050cb8ed36b4eec3e


C22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da


884e96a75dc568075e845ccac2d4b4ccec68017e6ef258c7c03da8c88a597534


829751cfdc2376e916244f94baf839ce4491ccb75f0a89778c092bde79bd8643




Contact @hivemind@polyswarm.io| Check out our blog| Subscribe to our reports


Topics: Threat Bulletin, critical infrastructure, BlackByte, Ransomware

Featured Posts
Recent Posts
Archive
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square

Privacy Policy

Terms + Conditions + Refund Policy

Affiliate Program

Billing & General Support - 

info@mojodaytrading.com

Disclaimer: “Day trading can be extremely risky…You should be prepared to lose all of the funds that you use for day trading. In particular, you should not fund day-trading activities with retirement savings, student loans, second mortgages, emergency funds, funds set aside for purposes such as education or home ownership, or funds required to meet your living expenses. Further, certain evidence indicates that an investment of less than $50,000 will significantly impair the ability of a day trader to make a profit. Of course, an investment of $50,000 or more will in no way guarantee success.”

 

MOJO Day Trading is a provider of stock market education. MOJO Day Trading is not a registered as an investment adviser either with the U.S. Securities and Exchange Commission or any other federal, governmental or regulatory authority. The business services and activities of MOJO Day Trading do not requires any such registrations. You understand and acknowledge that there is a very high degree of risk involved in trading securities. The Company, the authors, the publisher, and all affiliates of Company assume no responsibility or liability for your trading and investment results. It should not be assumed that the methods, techniques, or indicators presented in these products will be profitable or that they will not result in losses. Past results of any individual trader or trading system published by Company are not indicative of future returns by that trader or system, and are not indicative of future returns which be realized by you. In addition, the indicators, strategies, columns, articles and all other features of Company's products (collectively, the "Information") are provided for informational and educational purposes only and should not be construed as investment advice. Examples presented are for educational purposes only. Such picks, alerts, set-ups are not solicitations of any order to buy or sell. Accordingly, you should not rely solely on the information in making any investment. Rather, you should use the Information only as a starting point for doing additional independent research in order to allow you to form your own opinion regarding investments. You should always check with your licensed financial advisor and tax advisor to determine the suitability of any investment. Any and all information discussed is for educational and informational purposes only and should not be considered tax, legal or investment advice. A referral to a stock, commodity, cryptocurrency is not an indication to buy or sell that stock, commodity or cryptocurrency.

 

MOJO Day Trading may publish testimonials or descriptions of past performance but these results are NOT typical, are not indicative of future results or performance, and are not intended to be a representation, warranty or guarantee that similar results will be obtained by you. Michael Rich’s experience with trading is not typical, nor is the experience of students featured in testimonials. They are experienced traders. Becoming an experienced trader takes hard work, dedication and a significant amount of time. Your results may differ materially from those expressed or utilized by MOJO Day Trading due to a number of factors. We do not track the typical results of our current or past students. As a provider of educational courses, we do not have access to the personal trading accounts or brokerage statements of our customers. 

 

Please note: Hypothetical computer simulated performance results are believed to be accurately presented. However, they are not guaranteed as to accuracy or completeness and are subject to change without any notice. Hypothetical or simulated performance results have certain inherent limitations. Unlike an actual performance record, simulated results do not represent actual trading. Since, also, the trades have not actually been executed; the results may have been under or over compensated for the impact, if any, of certain market factors such as liquidity, slippage and commissions. Simulated trading programs in general are also subject to the fact that they are designed with the benefit of hindsight. No representation is being made that any portfolio will, or is likely to achieve profits or losses similar to those shown. All investments and trades carry risks.

 

If you do not agree with any term or provision of our Terms and Conditions you should not use our Site, Services, Content or Information. Please be advised that your continued use of the Site, Services, Content, or Information provided shall indicate your consent and agreement to our Terms and Conditions.  

 

Copyright (c) MOJO Day Trading, LLC. 2012-2023. All Rights Reserved. No part of this presentation, webinar or any of its contents may be reproduced, copied, modified or adapted.

This does not represent our full Disclaimer. Please read our complete disclaimer
 

bottom of page