It comes in two versions: one is a direct attack, while the other uses a ransomware as a service version that's operated by other malicious associates who have paid the malware authors to use their software tools. It's like some ransomware versions that deliberately avoid computers with Russian-language settings (hence the assumption that it originates from Russian sources). And like many malware products, it exploits the ability to infect the boot sector of a computer (so turning it off and on doesn’t matter — it will still run).
BlackByte has some very sloppy programming with its encryption methods.However, it still is dangerous because of how it can enter your organization by targeting Microsoft Exchange servers. Taking down an email network can be devastating to any business, but Exchange is particularly vulnerable because so many organizations are running older versions. BlackByte targets the 2013 and 2016 versions, and because upgrading Exchange isn’t a very simple or quick process, many IT managers are still using these older versions.
Another reason for the FBI alert is the fact that the group behind BlackByte continues to be successful with past ransomware attacks, so they should be taken seriously.
What can organizations do to protect themselves?
If you're running a version of Exchange that is vulnerable, you should implement the various patches from Microsoft as soon as possible. Better yet, you should put together a plan to either move to the most current Exchange version or switch to either Office365 or Google Workspace as soon as possible.
You should also ensure that your backups are validand can be used to restore your servers. Also, if you haven’t isolated your Exchange server on a separate network segment, now may be a good time to investigate how to do this to minimize potential email-borne threats. This is apparently what the 49ers did and is likely the reason why their entire network infrastructure wasn’t damaged by BlackByte.