The BlackByte ransomware group [1] [2] [3] [4] [5] [6] [7] [8], a splinter group of Conti [4], has recently updated their tactics to target core infrastructure and evade detection.

Description

The BlackByte ransomware group has updated their encryptor to append a new file extension, ‘blackbytent_h,’ and has enhanced their Bring Your Own Vulnerable Driver (BYOVD) technique [4]. They are exploiting an authentication bypass vulnerability in VMware ESXi (CVE-2024-37085) to gain administrator privileges and encrypt multiple virtual machines simultaneously. BlackByte is now targeting businesses in manufacturing, construction [4], and transportation sectors [4], using victims’ authorized remote access mechanisms and valid VPN credentials to evade detection [4]. They have been utilizing SMB, RDP [4], and NTLM hashes for lateral movement within compromised networks [4]. Other ransomware strains like Brain Cipher and RansomHub have been tracked [5], potentially with connections to other ransomware groups [5]. RansomHub has targeted healthcare, finance [5], and government sectors [5], using compromised domain accounts and public VPNs for initial access [5]. Talos IR assesses that the group is more active than their data leak site suggests [3], with only a fraction of successful attacks resulting in extortion posts [3]. Cisco researchers have shared updated recommendations and indicators of compromise to help defenders protect against these evolving threats [4].

Conclusion

Organizations are advised to promptly patch their VMware ESXi systems and implement strong access controls and monitoring to mitigate the impact of these attacks [7]. The true number of affected organizations is likely higher than reported [4], and the sophistication and adaptability of ransomware groups continue to pose significant threats to cybersecurity.

References

[1] https://www.darkreading.com/cyberattacks-data-breaches/blackbyte-targets-esxi-bug-with-ransomeware-to-access-virtual-assets
[2] https://www.scmagazine.com/news/blackbyte-ransomware-group-targets-vmware-esxi-bug
[3] https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/
[4] https://cybermaterial.com/blackbyte-unveils-new-encryptor-and-ttps/
[5] https://thehackernews.com/2024/08/blackbyte-ransomware-exploits-vmware.html
[6] https://zephyrnet.com/blackbyte-targets-esxi-bug-with-ransomware-to-access-virtual-assets/
[7] https://thecyberwire.com/podcasts/daily-podcast/2139/transcript
[8] https://www.hackread.com/blackbyte-ransomware-vmware-flaw-vpn-based-attacks/