|

BlackByte 2.0 Ransomware

ByDetecteam

TLP

TLP CLEAR

Authors

Jordi M. Lobo

Summary

BlackByte 2.0 Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions, believed to be an offshoot of the now-discontinued Conti group, is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of its ransomware-as-a-service (RaaS) scheme.

The forensic analysis revealed that the threat actor gained initial access through exploiting ProxyShell vulnerabilities on unpatched Microsoft Exchange Servers. They achieved system-level privileges and created web shells for remote control. A backdoor was installed to collect system information and communicate with a command-and-control (C2) channel. Cobalt Strike Beacon was utilized for persistence, and AnyDesk was used for remote access. Reconnaissance involved network enumeration and Active Directory reconnaissance. Credential theft using Mimikatz was observed. Lateral movement occurred through RDP and PowerShell remoting. Data staging and exfiltration involved a custom tool called ExByte. Data encryption and destruction were carried out using BlackByte ransomware. Recommendations include patch management, endpoint detection and response, and implementing security measures to prevent unauthorized system changes.

DATA

windows_sysmon.xml_Download

TIMELINE

CATEGORY

Ransomware

references

MITRE ATT&CK

Similar Posts

  • |

    Vice Society Ransomware

    ByDetecteam

    TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Vice Society ransomware group gained notoriety in late 2022 and early 2023 for launching attacks across various sectors, including San Francisco’s transit system. While education and healthcare were their primary targets, Trend Micro’s data reveals manufacturing industry infiltration in Brazil, Argentina, Switzerland, and Israel. Exploiting…

  • |

    Atlassian Confluence Unauthenticated Remote Code Execution

    ByDetecteam

    TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. Atlassian Confluence faces a critical security threat with an actively exploited unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The injection flaw enables unauthorized users to execute arbitrary code, affecting all versions…

  • |

    GhostEmperor

    ByDetecteam

    TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In August 2022, analysts uncovered a cyber attack on a government-run Indonesian company by the APT group GhostEmperor. Known since 2021, GhostEmperor specializes in cyberespionage across sectors, employing tactics such as phishing, software exploits, and…

  • |

    Adobe Coldfusion Exploitation (CVE-2023-29298) data

    ByDetecteam

    TLP TLP TLP CLEAR Authors Sebastien Tricaud Summary Active Exploitation of Adobe Coldfusion CVE-2023-29298. We are providing data to help teams quickly detect and react to this ongoing threat. DATA TIMELINE CATEGORY Exploit references https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/

  • |

    Volt Typhoon

    ByDetecteam

    TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Microsoft has uncovered a stealthy and targeted malicious campaign led by Volt Typhoon, a state-sponsored actor from China, with a focus on post-compromise credential access and network system discovery. Their primary targets are critical infrastructure organizations in the United States, including sectors such as communications, manufacturing,…