BlackByte is back and acts a lot like LockBit

Like many ransomware strains, BlackByte reemerged after a brief hiatus and, in its second iteration, has already taken to hacker forums to push a new Tor data leak site that exploits some familiar techniques from LockBit 3.0.

The site offers “good deals” for victims (currently, there is only one victim on the site): organizations can pay $5,000 to extend the deadline for publishing stolen data by 24 hours. There are also more expensive options to destroy the data ($300,000) or download it for $200,000.

“It’s a competitive market for ransomware groups. LockBit is one of the most prolific and active ransomware groups in the world. It’s no surprise that BlackByte is pulling a page out of LockBit’s book by not only announcing version two of its ransomware operation, but also adopting the payment extortion model to delay, download or destroy,” Nicole said. Hoffman, Cyber ​​Threat Manager. intelligence analyst at Digital Shadows. “It’s realistic that BlackByte is trying to gain a competitive advantage or even trying to gain media attention in an effort to recruit and grow its operations.”

While “the double extortion model is by no means broken, this new model can be a way for groups to introduce multiple revenue streams,” she said. “It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted.”

Those willing to go under BlackByte 2.0, as its operators call it, might be frustrated though – and the gang itself won’t see the wealth of its work as, to date, it has failed to integrate correctly the payment addresses of the likes of Bitcoin and Monero so that customers cannot take advantage of these options.

“The first rule of a ransomware gang is: if you want to receive a ransom, provide your wallet,” security firm KELA said. tweeted. “Doesn’t look new #BlackByte will receive payments…”

“The paid publication of the data model is an interesting business innovation. This allows for smaller payments to be collected from victims who are almost certain they will not pay the ransom, but wish to protect themselves for a day or two while they investigate the extent of the breach,” said Vectra’s technical director, Oliver Tavakoli.

But “customers” should beware of these “offers”, even if the payment process is fixed. “I don’t believe for a minute that this group will delete data and provide it to another criminal group if they are paid enough,” said John Bambenek, principal threat hunter at Netenrich. “It may attract those who play in the darker corners of corporate espionage, but they’re floating a trial balloon and we’ll see what bites.”

Noting that “ransomware actors have played with a variety of models to maximize their revenue,” Bambenek said, “It almost feels like an experiment to see if they can get smaller amounts of money.”

Moreover, he wondered why anyone would pay them anything unless it was to destroy all the data; however, he pointed out, “attackers, like in any industry, are experimenting with business models all the time.”

The ransomware gang has built a solid reputation since emerging in 2021, using the ProxyShell attack chain to breach Microsoft Exchange servers after a high-profile attack on the San Francisco 49ers. The ransomware has made its way onto the radar of the FBI and the Secret Service who warned of critical infrastructure attacks earlier this year.

“As of November 2021, BlackByte ransomware compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors (government, financial, and agribusiness facilities),” they wrote in a joint opinion.

This isn’t the first time BlackByte has been crippled by a loophole either. A 2021 vulnerability allowed victims to create a decryptor, but operators have since patched it.

“BlackByte made a few mistakes, such as their error accepting payments on the new site, which makes me think they may be a little less competent than others,” Bambenek said. “But, open source reports indicate that they are still compromising big targets, including critical infrastructure ones. The day will come when a major infrastructure provider will be taken down via ransomware that will create more than just a blockchain problem supply as we have seen with Colonial Pipeline.

The re-emergence of the group and its modus operandi are indicative of the direction ransomware is taking as a business. “It’s a landscape filled with different brands and fleeting alliances. We should think of BlackByte less as an individual static player and more as a brand that can be added to a new marketing campaign at any time,” Tavakoli said.

“Ransomware extortion campaigns have become increasingly creative and damaging. I wouldn’t be surprised if later this year cybercriminals start offering credit services to victims, so they can pay a ransom by several installments; somewhat usurping the role of banks in cyberspace,” said Ilia Kolochenko, Founder of ImmuniWeb and member of Europol’s Data Protection Expert Network.

Kolochenko questioned the conventional wisdom that advises victims not to pay. “Despite the fact that many law enforcement agencies publicly recommend against paying the ransom, in a limited set of circumstances this may be the least expensive way to minimize the damage from a data breach, subject to rigorous analysis and considerations,” he said. .

But the victims must not pay willy-nilly. “First, an outside law firm should carefully assess the legality of the payment, for example, so as not to violate US sanctions when paying in cryptocurrencies, as OFAC expressly warned,” Kolochenko said. . “Secondly, victims should always bear in mind that payment cannot and does not guarantee that data will be securely deleted or returned: copies or backups may already have been shared with third parties without their knowledge. of the victim.”

Finally, he noted, “replicate attacks are a relatively new phenomenon to consider: once a wealthy victim pays a ransom, other smaller threat actors immediately try to break in, then that the vulnerabilities are not yet corrected; they are motivated by the victim’s willingness to pay. In sum, paying a ransom is a slippery slope that requires careful consideration by legal and technical professionals. »

Comments are closed.