BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

Aug. 28, 2024, 2:35 p.m.

Description

The BlackByte ransomware group continues leveraging established tactics and vulnerable drivers to bypass security controls, while also incorporating newly disclosed vulnerabilities and using stolen credentials for propagation. A new iteration of their encryptor appends the 'blackbytent_h' extension to encrypted files, drops four vulnerable drivers, and employs Active Directory credentials for self-propagation. The group appears more active than its data leak site suggests, rapidly adapting its techniques.

External References

https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/
https://otx.alienvault.com/pulse/66cf2e62cb7d2e0443ae0940
Tags
ransomware
worm
CVE-2024-37085
authentication
2024-08-28
byovd
exbyte
blackbytent

Date

  • Created: Aug. 28, 2024, 2:04 p.m.
  • Published: Aug. 28, 2024, 2:04 p.m.
  • Modified: Aug. 28, 2024, 2:35 p.m.

Indicators

  • 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
  • 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
  • 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
  • 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
Download all indicators here!

Attack Patterns

  • ExByte
  • BlackByteNT
  • BlackByte
  • T1136.002
  • T1021.002
  • T1484
  • T1078.002
  • T1569.002
  • T1021.001
  • T1211
  • T1078.003
  • T1484.001
  • T1608
  • T1018
  • T1070.004
  • T1562.001
  • T1529
  • T1486
  • T1083
  • T1543
  • T1210
  • T1098
  • T1204
  • T1112

Additional Informations

  • Technical Services
  • Professional Services
  • Manufacturing