BlackByte Bites with Double Extortion Attacks
ExByte Changes Ransomware Assault Game
Criminal hackers are reaping double rewards with the newly discovered ExByte ransomware attacks. This latest cyber scam affords criminals the ability to double-extort victims with the help of the new data stealing tool.
The BlackByte ransomware hacking group operates the ExByte tool, which gives them an easy way to harvest private data from stolen Windows devices. And with the help of this uniquely formatted data-stealing tool dubbed “ExByte” these hackers are able to enrich their criminal network – with double extortion campaigns.
According to BleepingComputer, the main objective of the ExByte ransomware gang is to perform a different type of extortion assault. This is done through data exfiltration, accordingly, this type of extortion forces businesses to pay the demanded ransom. Thus, allowing the encrypted files to be decrypted without the hackers providing a decryption key.
However, this new ransomware that targets victims of stolen Microsoft Data, with the help of the ExByte tool, threat actors have been earning ransom money more rapidly. The new trend has seen victims handing over ransom payment faster, without the criminals handing over a decryptor key.
No doubt, ExByte has raised the bar for hacking groups on the dark web. Now, with this new precision tool, the game of ransomware attacks has changed, leaving criminal hackers such as ALPHV and LockBit languishing in the dust, still trying to enhance their ransomware techniques.
While in contrast, the Karakurt threat actors, who have actively used the ExByte tool, at this time, are only concerned with harvesting stolen data, which they use in their exfiltration attacks, without even bothering themselves to hand over decryption key for encrypted file copies.
The ExByte Data Exfiltration Tool
Security researchers at Symantec reported how criminal hackers have been utilizing the ExByte tool to upload stolen data on the Mega cloud storage platform. Also, the advanced capabilities of the ExByte program allow hackers to perform a variety of recognizance processes before launching their attack. According to cyber analysts, the unique hacking tool can execute anti-analysis tests, whereby checking targeted website files for sandbox, anti-virus software or debuggers associated with them.
ExByte works only with hardcoded account credentials, which are used to enumerate all document files available on the compromised data network system. Once a successful test is completed, the stolen files are then added to a new file folder, then uploaded to the Mega cloud platform.
The cyber analysts reported that BlackByte automatically utilizes a ransomware code to carry out tests, but when it’s time for exfiltration, the hacking tool works independently, since the file can only be encrypted after the exfiltration of the stolen data.
Next, in the sequence of attacks, according to Symantec, ExByte effortlessly enumerates the document files retrieved from the infected machine. Further, the storage of files occurs in a file tagged %APPDATA%dummy. These are inclusive of .txt, .doc, and .pdf files, along with the complete path and the file name.
To conclude the operation, the folder hosting the saved files is uploaded to Mega.co.nz. In addition with the credentials to access the Mega cloud account.
The BlackByte Hacking Trail
The BlackByte hackers first surfaced in mid 2021, and by February 2022, this hacking gang had launched numerous well-coordinated cyber security breaches. Most ransomware assaults were against numerous American infrastructures in the private and public sectors.
Symantec’s analysts had documented that BlackByte relies on exploiting defunct Microsoft Exchange servers’ ProxyShell and ProxyLogon faults, which the hackers utilize through programs such as PowerView, AdFind, NetScan, and AnyDesk.
Recent hacking breaches show that the attacks were carried out with version 2.0 of the ExByte ransomware, which can eliminate Kernel Notify Routines to avoid EDR defenses.
Additionally, BlackByte alters firewall settings by impeding easy data restoration. It can also delete volume shadow copies, as well as use remote connections to access the “scvhost.exe” when preparing stolen Microsoft Windows servers’ files for encryption.