BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks
Aug. 28, 2024, 2:35 p.m.
Tags
External References
Description
The BlackByte ransomware group continues leveraging established tactics and vulnerable drivers to bypass security controls, while also incorporating newly disclosed vulnerabilities and using stolen credentials for propagation. A new iteration of their encryptor appends the 'blackbytent_h' extension to encrypted files, drops four vulnerable drivers, and employs Active Directory credentials for self-propagation. The group appears more active than its data leak site suggests, rapidly adapting its techniques.
Date
Published: Aug. 28, 2024, 2:04 p.m.
Created: Aug. 28, 2024, 2:04 p.m.
Modified: Aug. 28, 2024, 2:35 p.m.
Indicators
31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
Attack Patterns
ExByte
BlackByteNT
BlackByte
T1136.002
T1021.002
T1484
T1078.002
T1569.002
T1021.001
T1211
T1078.003
T1484.001
T1608
T1018
T1070.004
T1562.001
T1529
T1486
T1083
T1543
T1210
T1098
T1204
T1112
Additional Informations
Technical Services
Professional Services
Manufacturing