February 22, 2022

CISA Advisory – BlackByte Ransomware

Industry: Financial, Food and Government | Level: Tactical | Source: IC3

Cybersecurity & Infrastructure Security Agency (CISA) provides an advisory for BlackByte Ransomware as a Service (RaaS) group. The group’s activities, since November 2021, have been disruptive and highly impacting as “BlackByte ransomware has compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).” Various techniques are used by the group including webshells, scheduled tasks, modifying registry keys, manipulating services including Windows Defender, shadow copies and services.

  • Anvilogic Scenario: BlackByte Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Create/Modify Schtasks
    • Encoded Powershell Command
    • Registry key added with reg.exe
    • Service Stop Commands