Skip to Content

New BlackByte Exbyte ransomware tactic

Updated on 2022-10-31

The BlackByte ransomware gang is claiming responsibility for an attack on Asahi Group Company Ltd., a precision metal manufacturer, and stealing a massive amount of financial and sales data. Read more: BlackByte ransomware group hit Asahi Group Holdings, a precision metal manufacturing and metal solution provider

Updated on 2022-10-24

Broadcom’s Symantec team published a report on Friday on Exbyte, a data exfiltration toolkit used by one of the affiliates of the Blackbyte RaaS. The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service.

Updated on 2022-10-21

BlackByte ransomware operators have started deploying a new exfiltration tool, named Exbyte, to speed up data theft and upload it to an external server. Read more: Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool

Updated on 2022-10-06

The BlackByte ransomware gang was found using the ‘Bring Your Own Driver’ tactic to evade protections by disabling over 1,000 drivers used by multiple security solutions. Read more: Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse

Updated on 2022-10-05

The Sophos research team published a technical report on Tuesday describing a new technique employed by the BlackByte ransomware. Researchers say the group now abuses a vulnerability in the Rtcore64.sys driver to remove kernel callbacks for EDR software and limit their visibility. Rtcore64.sys is a component of MSI Afterburner, an MSI app for overclocking graphics cards. Read more:

Updated on May 2022

BlackByte threat actor goes global with its ransomware

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.

Read more in

Cisco Talos has published a report on the BlackByte ransomware crew, which AdvIntel recently connected to the larger Conti operation.

Overview: Advisory Offers BlackByte IoCs and Mitigations

A joint advisory from the FBI and the US Secret Service warns that BlackByte ransomware has been used against organizations in at least three US critical infrastructure sectors. The advisory includes a list of indicators of compromise as well as recommended mitigations.

Note

  • The BlackByte malware bag of tricks includes exploiting unpatched vulnerabilities, particularly on Exchange, and printing ransom notes on all your printers hourly. Ingest the provided IOCs and scan for signs of activity. Also review the mitigations; beyond patching, MFA, and segmentation, consider marking external email and either disabling or adding a hyperlink rewrite security capability.

Read more in

Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.