Figure 7. Sample ransom note
|Initial Access||Persistence||Privilege Escalation||Defense Evasion||Discovery||Lateral Movement||Collection||Exfiltration||Command and Control||Impact|
T1190 - Exploit Public-Facing Application
T1053.005 - Scheduled Task/Job: Scheduled Task
T1134 - Access Token Manipulation
T1140 - Deobfuscate/Decode Files or Information
T1222 - File and Directory Permissions ModificationIt uses mountvol.exe to mount volume names and icacls.exe to modify the access on the volume to "Everyone."
T1562.001 - Impair Defenses: Disable or Modify Tools
T1083 - File and Directory Discovery
T1069.002 - Permission Groups Discovery: Domain Groups
T1570 - Lateral Tool Transfer
T1560.001 - Archive Collected Data: Archive via Utility
T1567 - Exfiltration Over Web Service
T1071.001 - Application Layer Protocol: Web Protocols
T1486 - Data Encrypted for Impact
T1489 - Service Stop
Security teams can watch for the presence of the following malware tools and exploits that are typically used in BlackByte attacks:
|Initial Access||Execution||Discovery||Lateral Movement||Collection||Exfiltration|
Exfiltrates to the following C&C
Organizations face both established ransomware families as well as newer variants that are just entering the fray. Like many newer ransomware families, BlackByte is readying itself to take the spot of any big-game ransomware operation in decline. However, underneath it all could be a more intricate scheme of threat groups dispersing under new monikers.
As with the case of BlackByte, knowing its notable tactics, while also staying knowledgeable of bigger trends can help organizations create an effective strategy for ransomware attacks. In the case of BlackByte, prevention is key by keeping employees wary of phishing tactics and keeping up with security patches such as those for ProxyShell vulnerabilities.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.