Table of Contents
Updated on 2022-10-31
The BlackByte ransomware gang is claiming responsibility for an attack on Asahi Group Company Ltd., a precision metal manufacturer, and stealing a massive amount of financial and sales data. Read more: BlackByte ransomware group hit Asahi Group Holdings, a precision metal manufacturing and metal solution provider
Updated on 2022-10-24
Broadcom’s Symantec team published a report on Friday on Exbyte, a data exfiltration toolkit used by one of the affiliates of the Blackbyte RaaS. The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service.
Updated on 2022-10-21
BlackByte ransomware operators have started deploying a new exfiltration tool, named Exbyte, to speed up data theft and upload it to an external server. Read more: Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
Updated on 2022-10-06
The BlackByte ransomware gang was found using the ‘Bring Your Own Driver’ tactic to evade protections by disabling over 1,000 drivers used by multiple security solutions. Read more: Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
Updated on 2022-10-05
The Sophos research team published a technical report on Tuesday describing a new technique employed by the BlackByte ransomware. Researchers say the group now abuses a vulnerability in the Rtcore64.sys driver to remove kernel callbacks for EDR software and limit their visibility. Rtcore64.sys is a component of MSI Afterburner, an MSI app for overclocking graphics cards. Read more:
- Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
- What is RTCore64?
Updated on May 2022
BlackByte threat actor goes global with its ransomware
The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.
Read more in
Overview: Advisory Offers BlackByte IoCs and Mitigations
A joint advisory from the FBI and the US Secret Service warns that BlackByte ransomware has been used against organizations in at least three US critical infrastructure sectors. The advisory includes a list of indicators of compromise as well as recommended mitigations.
- The BlackByte malware bag of tricks includes exploiting unpatched vulnerabilities, particularly on Exchange, and printing ransom notes on all your printers hourly. Ingest the provided IOCs and scan for signs of activity. Also review the mitigations; beyond patching, MFA, and segmentation, consider marking external email and either disabling or adding a hyperlink rewrite security capability.
Read more in
- Indicators of Compromise Associated with BlackByte Ransomware (PDF)
- FBI, US Secret Service Issue Mitigations for BlackByte Ransomware