May 24, 2022

Cisco Talos & BlackByte Ransomware Group

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talos reports activity associated with the BlackByte ransomware group. The threat group has targeted victims worldwide including North America, Colombia, Netherlands, China, Mexico, and Vietnam. Initial access has typically come from exploiting vulnerable services from Microsoft Exchange, such as ProxyShell or SonicWall VPN. Cisco Talos documented an intrusion that had taken place in March 2022. The infection starts with a BAT script executing and installing AnyDesk. A few hours following, a new account is created for persistence, and once again the attackers lay dormant for a few hours until proceeding to tamper with system services, modifying the registry, and creating firewall rules to ultimately deploy the Blackbyte ransomware. The entire infection takes 17 hours to achieve encryption. Commonalities in attacks with Blackbyte have identified a preference for the use of AnyDesk software along with utilizing living-off-the-land binaries (LoLBins).

Anvilogic Scenario:

  • Blackbyte: BAT Script & New Acct to Attacker Objectives

Anvilogic Use Cases:

  • Potential ProxyShell
  • Executable Create Script Process
  • Create/Add Local/Domain User
  • Service Stop Commands
  • Suspicious Executable by Powershell
  • Create/Modify Schtasks
  • Inhibit System Recovery Commands
  • Registry key added with reg.exe
  • Windows Firewall Rule Creation
  • Executable Process from Suspicious Folder
  • System Shutdown or Reboot
  • Remote Admin Tools
  • Windows Defender Disabled Detection