The data used in this section represent the count of unique machines where BlackByte-related activity had been detected. Based on our telemetry data, BlackByte showed a fairly consistent level of activity from October 2021 to March 2022. However, May 2022 detections showed a drastic uptick in number.
Figure 1. BlackByte monthly unique detections (October 1, 2021 to May 31, 2022)
Source: Trend Micro™ Smart Protection Network™
Based on our telemetry data from April 30, 2021 to May 31, 2022, we detected BlackByte activity all over the globe. However, after the spike in activity in May, Peru outstripped other countries in detection. This is consistent with the reported escalation of ransomware attacks in Latin America, where BlackByte was also reportedly among those that targeted the region.
Figure 2. Countries with the highest number of attack attempts for the BlackByte ransomware (April 30, 2021 to May 30, 2022)
Source: Trend Micro Smart Protection Network
Up to the end of April 2022, the technology sector saw the most BlackByte detections, however, in May, detections in the government sector also shot up.
Figure 3. Countries with the highest number of attack attempts for the BlackByte ransomware (April 30, 2021 to May 30, 2022)
Source: Trend Micro Smart Protection Network
One way to interpret these observations is that the drastic increase stemmed from a single attack that affected several machines. Aside from the reports on ransomware groups targeting Latin America, this explanation is also based on the report that, by their own claim, BlackByte operators had compromised a Peruvian government entity around the time of the increased activity.
In addition to these detections, we delved into BlackByte’s leak site to see the number of attacks recorded there. We looked at data from August 1, 2021 to May 31, 2022. Based on what we found in the site, BlackByte’s victims were composed mostly of small size businesses. The activity peaked in November 2021.
Overall, the leak site has yet to reflect the focused attack on Latin American governments. The distribution of their attacks per region showed, instead, a proclivity for targeting entities based in North America and Europe.
Figure 4. Regional distribution of BlackByte victims according to the group’s leak site (August 1, 2021 to May 31, 2022)
Based on the leak site data alone, BlackByte operators and their affiliates have yet to show a marked interest in any one sector. We found a relatively even distribution of attacks across industries, which included the following:
Figure 5. Top ransomware groups with the greatest number of listed victims in their respective leak sites (January 1, 2022 to May 31, 2022)
The data seems to show that BlackByte's operation is beginning to build a name for itself in the threat landscape while still building momentum. The following section shows how it works and how it conducts its attacks.
Figure 7. Sample ransom note
|Initial Access||Persistence||Privilege Escalation||Defense Evasion||Discovery||Lateral Movement||Collection||Exfiltration||Command and Control||Impact|
T1190 - Exploit Public-Facing Application
T1053.005 - Scheduled Task/Job: Scheduled Task
T1134 - Access Token Manipulation
T1140 - Deobfuscate/Decode Files or Information
T1222 - File and Directory Permissions ModificationIt uses mountvol.exe to mount volume names and icacls.exe to modify the access on the volume to "Everyone."
T1562.001 - Impair Defenses: Disable or Modify Tools
T1083 - File and Directory Discovery
T1069.002 - Permission Groups Discovery: Domain Groups
T1570 - Lateral Tool Transfer
T1560.001 - Archive Collected Data: Archive via Utility
T1567 - Exfiltration Over Web Service
T1071.001 - Application Layer Protocol: Web Protocols
T1486 - Data Encrypted for Impact
T1489 - Service Stop
Security teams can watch for the presence of the following malware tools and exploits that are typically used in BlackByte attacks:
|Initial Access||Execution||Discovery||Lateral Movement||Collection||Exfiltration|
Exfiltrates to the following C&C
Organizations face both established ransomware families as well as newer variants that are just entering the fray. Like many newer ransomware families, BlackByte is readying itself to take the spot of any big-game ransomware operation in decline. However, underneath it all could be a more intricate scheme of threat groups dispersing under new monikers.
As with the case of BlackByte, knowing its notable tactics, while also staying knowledgeable of bigger trends can help organizations create an effective strategy for ransomware attacks. In the case of BlackByte, prevention is key by keeping employees wary of phishing tactics and keeping up with security patches such as those for ProxyShell vulnerabilities.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.