logo
DATABASE RESOURCES PRICING ABOUT US

Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware

Description

![trellix intelligence](https://www.trellix.com/en-us/img/newsroom/stories/trellix-intelligence.jpeg) # Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware By Taylor Mullins · February 28, 2022 BlackByte Ransomware has been in the news of late due to a successful attack against a National Football League (NFL) Franchise and a Joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) warning on breaches to the networks of at least three organizations from US critical infrastructure sectors in the last three months. BlackByte Ransomware is currently being offered to threat actors as a Ransomware-as-a-Service (RaaS) and makes use of PowerShell and Windows CLI commands to carry out various tasks such as network discovery, task scheduling and to create and disable Windows and security services. BlackByte Ransomware makes files inaccessible by encrypting them and generates a ransom note (the "BlackByte_restoremyfiles.hta" file) that contains instructions on how to contact the attackers for data decryption and other details. Also, BlackByte appends the ".blackbyte" extension to the names of encrypted files. BlackByte does have worming capabilities and can infect additional endpoints on the same network. ![Figure 1. MITRE ATT&CK Framework for BlackByte Ransomware](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware1.jpg) **Figure 1. MITRE ATT&CK Framework for BlackByte Ransomware** ## Recommended Steps to Prevent Initial Access The Joint Cybersecurity Advisory provides several recommendations to secure your environment against BlackByte that were gathered from their analysis of malware samples discovered in the wild. * BlackByte operators have been observed exploiting the following CVEs to gain initial access, patching is recommended to prevent exploitation. * [CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>) \- Microsoft Exchange Server Remote Code Execution Vulnerability * [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>) \- Microsoft Exchange Server Elevation of Privilege Vulnerability * [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>) \- Microsoft Exchange Server Security Feature Bypass Vulnerability * Blocking IP Addresses known to download additional payloads in BlackByte attacks prior to encryption: **185.93.6.31** and **45.9.148.114.** * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity. * After gaining access to the service accounts some adversaries have utilized AnyDesk for lateral movement, monitoring for AnyDesk activity can be an early indicator of compromise if AnyDesk is not utilized or allowed by your organization. * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts. * Disable hyperlinks in received emails. [Joint Cybersecurity Advisory: Indicators of Compromise Associated with BlackByte Ransomware](<https://www.ic3.gov/Media/News/2022/220211.pdf>) ## Trellix Protections and Global Detections Trellix Global Threat Intelligence is currently detecting all known analyzed indicators for this campaign. ![Figure 2. Trellix Products detecting this threat globally. Source: MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware2.jpg) **Figure 2. Trellix Products detecting this threat globally. Source: MVISION Insights** ## Blocking BlackByte Attacks with Endpoint Security Trellix ENS is currently detecting BlackByte Indicators of Compromise (IOCs) from the standpoint of signature detections and the malware behavior associated with BlackByte Ransomware attacks. The following Exploit Prevention Rule in ENS has shown success in stopping BlackByte samples due to BlackByte being Script-based. Trellix always recommends testing in Report Only Mode before blocking to confirm no false positives are being detected by this signature rule. ### Exploit Prevention Signature ID 6207: ASR : File Download attempt by Scripts ![Figure 3. Exploit Prevention Rule in ePolicy Orchestrator/MVISION ePO](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware3.jpg) **Figure 3. Exploit Prevention Rule in ePolicy Orchestrator/MVISION ePO** ![Figure 4. MVISION EDR noting where Endpoint Protection \(ENS\) could have stopped specific techniques](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware4.jpg) **Figure 4. MVISION EDR noting where Endpoint Protection (ENS) could have stopped specific techniques** ![Figure 5. Ransomware Detection Name and Observed Detections noted in MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware5.jpg) **Figure 5. Ransomware Detection Name and Observed Detections noted in MVISION Insights** ## BlackByte Threat Intelligence from the Trellix Advanced Threat Research Team and MVISION Insights MVISION Insights will provide the current threat intelligence and known indicators for BlackByte Ransomware. MVISION Insights will alert to detections and Process Traces that have been observed and systems that require additional attention to prevent widespread infection. MVISION Insights will also include Hunting Rules for threat hunting and further intelligence gathering of the threat activity and adversary. ### MVISION Insights Campaign Names: Cybersecurity Advisory - BlackByte Ransomware and JavaScript Malware Threat Landscape ![Figure 6. Campaign Details, Analyzed Indicators of Compromise, and Detections](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware6.jpg) **Figure 6. Campaign Details, Analyzed Indicators of Compromise, and Detections** ![Figure 7. Hunting Rules for BlackByte Ransomware in MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware7.jpg) **Figure 7. Hunting Rules for BlackByte Ransomware in MVISION Insights** ## Detecting Malicious Activity with MVISION EDR MVISION EDR is currently monitoring for the activity associated with BlackByte Ransomware and will note the MITRE techniques and any suspicious indicators related to the adversarial activity. Several of the techniques outlined in the Joint Advisory that are observed with BlackByte are noted below, monitoring for this type of activity can point to activity associated with the Tactics, techniques, and procedures (TTPs) for BlackByte. ![Figure 8. Network Connection to Known Malicious IP Address Associated with BlackByte](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware8.jpg) **Figure 8. Network Connection to Known Malicious IP Address Associated with BlackByte** ![Figure 9. Enabling of remote registry for possible preparation of Lateral Movement](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware9.jpg) **Figure 9. Enabling of remote registry for possible preparation of Lateral Movement** ![Figure 10. Deletion of Shadow Copy to inhibit system recovery](https://www.trellix.com/en-us/img/newsroom/stories/analysis-protections-blackbyte-ransomware10.jpg) **Figure 10. Deletion of Shadow Copy to inhibit system recovery** Trellix offers Threat Intelligence Briefings along with Cloud Security and Data Protection workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats, please reach out if you would like to schedule a workshop with your organization.


Related