Beware of BlackByte ransomware

David Strom 16 Feb 2022

Earlier this month, it hit a portion of the San Francisco 49ers' network.

The FBI has issued another warning about a new series of ransomware attacks known as BlackByte. This threat isn’t new — researchers discovered it last July — but nevertheless, it's gaining traction. In fact, it hit a portion of the San Francisco 49ers' network earlier this month.

It comes in two versions: one is a direct attack, while the other uses a ransomware as a service version that's operated by other malicious associates who have paid the malware authors to use their software tools. It's like some ransomware versions that deliberately avoid computers with Russian-language settings (hence the assumption that it originates from Russian sources). And like many malware products, it exploits the ability to infect the boot sector of a computer (so turning it off and on doesn’t matter it will still run).

BlackByte has some very sloppy programming with its encryption methods. However, it still is dangerous because of how it can enter your organization by targeting Microsoft Exchange servers. Taking down an email network can be devastating to any business, but Exchange is particularly vulnerable because so many organizations are running older versions. BlackByte targets the 2013 and 2016 versions, and because upgrading Exchange isn’t a very simple or quick process, many IT managers are still using these older versions.

Exchange has been the target of other malware, including ProxyShell and ProxyCache. Microsoft issued patches for these for these threats last year, yet many organizations haven’t actually patched their versions.

Another reason for the FBI alert is the fact that the group behind BlackByte continues to be successful with past ransomware attacks, so they should be taken seriously.

What can organizations do to protect themselves?

If you're running a version of Exchange that is vulnerable, you should implement the various patches from Microsoft as soon as possible. Better yet, you should put together a plan to either move to the most current Exchange version or switch to either Office365 or Google Workspace as soon as possible.

You should also ensure that your backups are valid and can be used to restore your servers. Also, if you haven’t isolated your Exchange server on a separate network segment, now may be a good time to investigate how to do this to minimize potential email-borne threats. This is apparently what the 49ers did and is likely the reason why their entire network infrastructure wasn’t damaged by BlackByte.

If you do get infected, you should make use of the decryption key that was built for a previous BlackByte attack. While this is a wise move, there's still no guarantee that this key would work if attackers are using a more recent version of the malware.

--> -->