FBI and USSS Release Advisory on BlackByte Ransomware

The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware.

BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers.

The BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur.

Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 185.93.6.31 and 45.9.148.114 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows. Process injection has been observed on processes it creates.