The BlackByte ransomware group’s threat actors have been seen exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also using vulnerable drivers to disable security protections.
“The BlackByte ransomware group continues to use tactics, techniques, and procedures (TTPs) that have been part of its tradecraft since its inception, constantly improving its use of vulnerable drivers to bypass security protections and deploying a self-propagating ransomware encryptor,” according to a technical report from Cisco Talos shared with The Hacker News.
The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi, indicates a departure from established methods by the e-crime group. They began appearing in the latter part of 2021 and are believed to be one of the ransomware variants that emerged just before the infamous Conti ransomware gang shut down.
The ransomware-as-a-service (RaaS) group has a history of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server for initial access. They also utilize double extortion tactics and have released various ransomware variants written in C, .NET, and Go languages.
Although a decryptor for BlackByte was released in October 2021, the group has continued to refine its methods, including using a custom tool named ExByte for data exfiltration before encryption.
A joint advisory released by the U.S. government earlier this year linked the RaaS group to financially motivated attacks on critical infrastructure sectors.
BlackByte’s use of vulnerable drivers to bypass security processes and controls is a common tactic in their attacks, known as bring your own vulnerable driver (BYOVD).
A recent attack by the BlackByte ransomware group, investigated by Cisco Talos, was likely facilitated using valid credentials to access the victim organization’s VPN. The initial access was probably gained through a brute-force attack.
With the gained privileges, the threat actor accessed the organization’s VMware vCenter server, creating and adding new accounts to an Active Directory group named ESX Admins. This was done by exploiting CVE-2024-37085, enabling the attacker to gain administrator privileges on the hypervisor.
This privilege allowed them to control virtual machines, modify host server configurations, and access system logs, diagnostics, and performance monitoring tools without authorization.
The rapid exploitation of the flaw following public disclosure highlights how threat actors quickly adapt their tactics to include newly disclosed vulnerabilities in their attacks.
After encrypting files, the BlackByte ransomware renames them with the extension “blackbytent_h” and drops four vulnerable drivers, as part of the BYOVD attack. These drivers are named with random alphanumeric characters followed by an underscore and an incremental numerical value.
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The professional, scientific, and technical services sectors are most exposed to these vulnerable drivers, followed by manufacturing and educational services. Talos estimates that the threat actor is likely more active than publicly known, with only 20-30% of victims publicly posted.
“BlackByte’s transition from C# to Go and now to C/C++ in the latest version of its encryptor – BlackByteNT – demonstrates a deliberate effort to enhance the malware’s resistance to detection and analysis,” explained the researchers.
“Complex languages like C/C++ enable the inclusion of advanced anti-analysis and anti-debugging techniques, which have been observed in the BlackByte tooling during thorough analysis by other security researchers.”
Elsewhere, Group-IB uncovered tactics associated with Brain Cipher and RansomHub ransomware strains, hinting at potential connections to ransomware groups like EstateRansomware, SenSayQ, and RebornRansomware.
Group-IB’s analysis highlights similarities in the ransom notes of Brain Cipher and SenSayQ ransomware, as well as on the TOR websites of the respective ransomware groups.
RansomHub has recruited former affiliates of Scattered Spider and targeted healthcare, finance, and government sectors in the U.S., Brazil, Italy, Spain, and the U.K., aligning its tactics with using compromised domains and public VPNs for initial access, data exfiltration, and extensive encryption processes.
