Unify Security Operations
Go Back

Unify Security operations

Reduce Alert Noise and False Positives

Automate Security Operations

Dark Web Monitoring

Maximize Existing Security Investments

Beyond MDR

Secure Multi-Cloud Environments

Secure Mergers and Acquisitions

Secure Operational Technology

Eliminate Mundane SecOps Tasks

Unify Your Security Operations

Whether you’re starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Why ReliaQuest
Go Back

The ReliaQuest GreyMatter Platform

Detection Investigation Response

Threat Hunting

Threat Intelligence

Model Index

Automated Response Playbooks

Breach and Attack Simulation

Digital Risk Protection

Phishing Analyzer

Technology Partners

AI Agent for SecOps

Why ReliaQuest?

Whether you’re starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore the GreyMatter Platform
Learn
Go Back

Learn

Blog

Threat Research

Case Studies

Data Sheets

eBooks

Industry Guides

Research Reports

ShadowTalk Podcast

Solution Briefs

White Papers

Videos

Events & Webinars

ReliaQuest Resource Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

Leadership

No Show Dogs Podcast

Make It Possible in the Community

Careers

Press and Media Coverage

Become a Technology Partner

Contact Us

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Back to blog

Threat Advisory: Blackbyte Ransomware

admin reliaquest 13 February 2022

Blackbyte is a newly identified ransomware-as-a-Service operation configured to use ‘double-extortion’ techniques based on an available ‘leaks’ website. Early intrusions of Blackbyte re-used encryption keys, meaning that files encrypted prior to October 2021 may be recoverable [Source 1]. Initial access in Blackbyte intrusions is typical achieved through the exploitation of vulnerabilities in public-facing devices [Source 5]. Cobalt Strike beacon usage has also been observed in prior Blackbyte intrusions.

Severity: High
Updates: 2/13/2022

The FBI and The United States Secret Service published a joint advisory containing Indicators of Compromise (IoCs) related to Blackbyte Ransomware [Source 2]. Indicators of Compromise from this report have been added to the ReliaQuest Emergency Feed.

Detections:

IoCs have been identified for this threat and added to the ReliaQuest Emergency Feed. The MITRE techniques that apply to this threat are identified below. IoCs for the related threat of ‘Cobalt Strike’ are also regularly added to the ReliaQuest Emergency Feed.

Mitigations:

As of December 8th, 2021, Blackbyte uses the anonymous file upload sites of ‘anonymfiles[.]com’ and ‘file[.]io’ [Source 6]. It is recommended to block these sites on your firewall/proxy technologies in order to reduce the likelihood of data exfiltration.

The following are recommendations to mitigate the risk of ransomware, regardless of the variant:

Regularly monitor and audit external facing services and assets for accidental exposure and out-of-date services. Remove any accidental exposure and patch any out-of-date services, with priority on services that have known vulnerabilities. Threat Actors will frequently scan the internet for public-facing assets that have an exploitable vulnerability and gain initial access via this method.
Implement phishing training and deploy e-mail security technologies to mitigate the risk of malicious e-mail documents. Threat actor groups often conduct phishing campaigns with malicious documents in order to gain an initial foothold.
Ensure comprehensive coverage of Anti-Virus/Endpoint Detection and Response tools within your environment in order to provide as much visibility as possible into exploit/threat activity. Additionally, many ReliaQuest Detect use-cases require endpoint logging/visibility in order to be pushed to production.
Maintain regular backups of all critical systems/information. Maintain offline backups as well to increase resilience.
Enforce complex passwords and Multi-Factor Authentication across all aspects of the environment (including third-party accounts).

Sources:
[1] https://github.com/SpiderLabs/BlackByteDecryptor
[2] https://www.ic3.gov/Media/News/2022/220211.pdf
[3] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
[4] https://www.linkedin.com/pulse/english-blackbyte-ransomware-misterious-dropper-encoder-fasolo/
[5] https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/
[6] https://redcanary.com/blog/blackbyte-ransomware/

MITRE Techniques:

Technique ID:

Technique Name:

T1003

OS Credential Dumping

T1016

System Network Configuration Discovery

T1018

Remote System Discovery

T1055

Process Injection

T1059.001

PowerShell

T1112

Modify Registry

T1190

Exploit Public-Facing Application

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

T1560.001

Archive via Utility

T1562.001

Disable or Modify Tools

T1562.004

Disable or Modify System Firewall

T1567.002

Exfiltration to Cloud Storage

If you have any questions or would like to learn more about how to address this malware, please reach out to your ReliaQuest representative.