BlackByte Ransomware Group adds new ‘feature’ to data leak site with tiered payment options

The BlackByte ransomware gang’s ‘2.0’ reboot of their data leak site introduces a new ‘feature’ for its victims: a tiered payment system that allows smaller payments to delay the release of sensitive data, or simply download and retrieve them before you have them. made available to the public.

The group had briefly disappeared over the summer after being one of the largest and most active ransomware gangs in early 2022. Among other targets, the group’s data leak site contained files of critical infrastructure companies in several countries, as well as the NFL’s San. Francisco 49ers, and he is known for his specific targeting of large organizations believed to have the ability to pay proportionately large ransom demands.

BlackByte Ransomware Return Comes With ‘Payment Features’ For Victims

The BlackByte ransomware gang has been operational since at least July 2021. While the group has historically been prolific and has shown a propensity for targeting big fish, it was initially not taken very seriously by security analysts in due to seemingly amateurish encryption techniques. In October 2021, security firm Trustwave discovered that the group was using the same key to encrypt all of its victims’ files and made it public.

However, the group quickly stepped up their game, improving their technique and increasing their attack volume by 300% in the last quarter of 2021. BlackByte ransomware has become enough of an international problem to merit joint FBI and law enforcement notification secrets about it published in February. of this year. The group uses the increasingly standard “double extortion” approach of encrypting victims’ files and threatening to dump them for public viewing on its data leak site, but Palo Alto Networks and other security companies report finding an underground Tor auction site where some of this data was stolen. the data is sold to private bidders.

The BlackByte ransomware group primarily targets businesses in Europe and the United States, and it isn’t afraid to go after healthcare and critical infrastructure companies. The group is believed to be based in Russia, as its malware will not deploy on systems with Eastern European language settings, a common feature of criminal groups operating in this part of the world. It is also known to attack specific vulnerabilities: unpatched Microsoft Exchange server flaws and a known vulnerable version of SonicWall VPN.

The “2.0” rebranding comes after BlackByte ransomware appeared to be slowing down for the summer. It picks up a page from category leader LockBit’s recent pivot, which also included the addition of a new “feature” (bounties) as an apparent marketing tactic. There is no indication yet that the ransomware has been modified or improved, but the data leak site is new and redesigned.

According to Harrison Van Riper, senior intelligence analyst at red canary, the group’s approach and tactics are expected to remain the same: “Red Canary first observed BlackByte in the wild in 2021, exploiting ProxyShell vulnerabilities for initial access and then dropping Cobalt Strike beacons. Despite BlackByte’s new website and payment options for allegedly stolen data, the operation’s extortion tactics remain the same, relying on a public website to identify alleged victims and threatening to leak information stolen if victims do not pay ransom in cryptocurrency… We have not seen an instance of this new version of BlackByte ransomware, although we will certainly be tracking the operation as we have done in the past.

Data leak site lets victims choose payment amounts

Security researchers noted that the new data leak site failed to properly integrate payment addresses, which prevented victims from making payments. But at the moment, the BlackByte ransomware group seems to have only one victim on the hook, judging by the list of entities it is currently threatening.

Presumably, the gang will fix the payment site, and when they do, victims will have the option of paying the full ransom demand to have their stolen data destroyed, or a lesser amount to mitigate the damage of the attack to a lesser extent. Victims can pay smaller sums to simply turn off the data wipe for 24 hours or to recover stolen data that they may not have backed up. The gang is likely to vary the amounts requested given their initial request, but the current victim is considering an asking price of $300,000 for the destruction of his data versus $200,000 to access it and $5,000 to extend the clock another day.

While some victims may choose to extend the deadline as they involve law enforcement or take stock of what has been lost, these choices do not seem to be aimed so much at increasing profits as increasing free media coverage. . Like most major ransomware operators, the BlackByte ransomware uses a “RaaS” model in which the infrastructure can be rented by partners. They are therefore in competition with other players such as LockBit, and need to do some publicity to stay ahead of potential criminal associates. The group promoted the new “feature” of its data leak site on Twitter with a variety of handles.

Claire Tills, senior research engineer at Defensible, notes that this is a trend of “one-upmanship” with these ransomware operations that has gradually manifested itself since RaaS began as a concept several years ago: “We often see actors threat to borrow tactics from each other. Most notably, the revival of double extortion launched by Maze in 2019. These extortion tactics have continued to grow as threat groups try to find new ways to generate revenue from alternative sources and incite the victims to pay. While members often hop from group to group, it’s just as likely that BlackByte’s operators saw the LockBit 3.0 cover and jumped on the bandwagon.

BlackByte’s #ransomware gang reboot of their #dataleak site sports a new tiered payment system that allows smaller payments to delay the release of sensitive data, or simply download and retrieve it. #cybersecurity #respectdataClick to tweet

John Bambenek, Senior Threat Hunter at Netenrich, adds that based on BlackByte’s operating history, no one should expect them to keep their word after a payment has been made through this data leak site: “I don’t believe for a minute that this group will delete data and not provide to another criminal group if they are paid enough.This may attract those who play in the darker corners of corporate espionage, but they are floating a trial balloon and we’ll see what bites… BlackByte made a few mistakes, like their mistake accepting payments on the new site, which makes me deduce they may be a bit weaker on skill than others. open source say they are still compromising big targets, including critical infrastructure ones.The day will come when a major infrastructure provider will be taken down via ransomware that will create more than just a supply chain problem. t that we saw with Colonial Pipeline.