The ransomware operators known as BlackByte appaear to have shifted tactics, pivoting away from targeting vulnerable devices and focusing instead on flawed VMware ESXi hypervisors.
The group has also started using remote desktop software sanctioned by the victim organization, instead of deploying commercial software themselves, new research from Cisco Talos has claimed.
In a blog post, Talos IR researchers said while BlackByte “continues to leverage tactics, techniques, and procedures (TTPS) that have formed the foundation of its tradecraft since its inception,” it was also recently seen using techniques that “depart” from that. Namely, taking advantage of CVE-2024-37085, an authentication bypass vulnerability found in VMware ESXi.
BlackByte and Conti
Talos IR also argues that BlackByte is significantly more active than its data leak site would imply. In fact, the researchers believe only 20-30% of successful attacks end up on the data leak site. They don’t know for certain why BlackByte publishes only a handful of its activities, but we can speculate that many victims end up paying the ransom, if that means keeping the breach private.
BlackByte was first spotted in mid-2021, with researchers believing the group spun out off the defunct Conti ransomware group. For those unaware, Conti was a major ransomware player in the months leading up to the Russian invasion of Ukraine. At the start of the war, Conti publicly expressed its support for the Russian war machine, drawing fury from its affiliates, many of whom were Ukrainian.
Soon after, Conti’s source code, as well as thousands of private messages, were leaked by disgruntled affiliates, which ultimately led to the group’s disbandment. Since the source code leaked, different other groups stepped in, with BlackByte likely being one of them.
This group is known for using vulnerable drivers to bypass security controls, and for deploying self-propagating ransomware with worm-like capabilities. It was also observed using known-good system binaries (LoLBins), and other legitimate commercial tools.
More from TechRadar Pro
- Conti ransomware group officially shuts down - but probably not for long
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now