Updates:
2/13/2022
• The FBI and The United States Secret Service published a joint advisory containing Indicators of Compromise (IoCs) related to Blackbyte Ransomware [Source 2].
Blackbyte is a newly identified ransomware-as-a-Service operation configured to use ‘double-extortion’ techniques based on an available ‘leaks’ website. Early intrusions of Blackbyte re-used encryption keys, meaning that files encrypted prior to October 2021 may be recoverable [Source 1]. Initial access in Blackbyte intrusions is typical achieved through the exploitation of vulnerabilities in public-facing devices [Source 5]. Cobalt Strike beacon usage has also been observed in prior Blackbyte intrusions.
Detections:
• IoCs have been identified for this threat.
Mitigations:
• As of December 8th, 2021, Blackbyte uses the anonymous file upload sites of ‘anonymfiles[.]com’ and ‘file[.]io’ [Source 6]. It is recommended to block these sites on your firewall/proxy technologies in order to reduce the likelihood of data exfiltration.
Recommendations to mitigate the risk of ransomware, regardless of the variant.
• Regularly monitor and audit external facing services and assets for accidental exposure and out-of-date services.
• Implement phishing training and deploy e-mail security technologies to mitigate the risk of malicious e-mail documents.
• Ensure comprehensive coverage of Anti-Virus/Endpoint Detection and Response tools within your environment in order to provide as much visibility as possible into exploit/threat activity.
• Maintain regular backups of all critical systems/information. Maintain offline backups as well to increase resilience.
• Enforce complex passwords and Multi-Factor Authentication across all aspects of the environment (including third-party accounts).