Blackbyte

Threat Actor updated 3 months ago (2024-09-01T14:17:45.809Z)

Download STIX

Preview STIX

BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This marks a significant departure from BlackByte's traditional techniques, such as exploiting known vulnerabilities in widely used software like Microsoft Exchange or using phishing and brute-force attacks. The exploitation of this authentication bypass vulnerability allows attackers to gain full administrative access to hypervisors, demonstrating BlackByte's ability to swiftly integrate new vulnerabilities into its toolkit. For the first time, Talos Incident Response (IR) detected a new variant of BlackByte ransomware, dubbed BlackByte NT, in addition to the previously seen LockBit ransomware. The attackers initially compromised a valid account to gain access, escalating privileges quickly once inside the network. Often, they create and manipulate Active Directory domain objects to gain control over critical systems. This new variant reflects BlackByte's evolution towards using advanced programming languages like C/C++ in their encryptor, aiming to make their malware more resistant to detection and analysis through sophisticated anti-analysis and anti-debugging techniques. The self-propagating nature of the BlackByte encryptor presents additional challenges for defenders. Regular hardening and patching of ESXi hosts are required to address vulnerabilities promptly. According to cybersecurity experts, the focused effort by BlackByte and similar threat actors to exploit vulnerabilities in ESXi indicates an intent to compromise the core infrastructure of enterprise networks. As such, BlackByte's pivot, as discovered by Cisco Talos Incident Response, highlights its capacity to rapidly incorporate new vulnerabilities into its toolkit, underscoring the evolving nature of the threat it poses.

Description last updated: 2024-09-01T14:16:11.920Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Conti is a possible alias for Blackbyte. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Vulnerability

Malware

Esxi

Exploits

RaaS

Credentials

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Akira Malware is associated with Blackbyte. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	Unspecified	3
The Lockbit Malware is associated with Blackbyte. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	3
The Karakurt Malware is associated with Blackbyte. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2024-37085 is associated with Blackbyte.	Unspecified	3
The Proxyshell Vulnerability is associated with Blackbyte. ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. It is a software design and implementation flaw that allows attackers to gain unauthorized access to the affected systems. The exploit chain for ProxyShell includes CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.	Unspecified	2

Source Document References

Information about the Blackbyte Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	Security Affairs newsletter Round 487 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	3 months ago	BlackByte Adopts New Tactics, Targets ESXi Hypervisors
DARKReading	3 months ago	BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Securityaffairs	3 months ago	BlackByte Ransomware group targets recently patched VMware ESXi flaw CVE-2024-37085
BankInfoSecurity	3 months ago	US Authorities Warn Health Sector of Everest Gang Threats
CERT-EU	8 months ago	Encina Wastewater Authority Cyberattack Claimed By BlackByte
Checkpoint	a year ago	10th July – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Dallas ransomware recovery nearly completed
CERT-EU	a year ago	BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days
BankInfoSecurity	a year ago	Breach Roundup: Zenbleed Flaw Exposes AMD Ryzen CPUs
CERT-EU	a year ago	Microsoft Defender Brings Automated Attack Disruption to Endpoints
CERT-EU	a year ago	Microsoft Defender for Endpoint now stops human-operated attacks on its own \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	2 years ago	The Top 4 Ransomware Vulnerabilities Putting your Company in Danger - Cybersecurity Insiders
CERT-EU	a year ago	Microsoft Defender now auto-isolates compromised accounts
CERT-EU	2 years ago	Russian Ransomware Tasks Rebranded to Keep away from Western Sanctions: Report
Malwarebytes	2 years ago	Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight
CERT-EU	a year ago	Hackers impersonates a cybersecurity firm to lock your PC \| Digital Trends
InfoSecurity-magazine	a year ago	Cyber-Attacks Targeting Government Agencies Increase 40%
CERT-EU	a year ago	Akira and BlackByte ransomware group claim attack on Yamaha Music Canada \| IT Security News
CERT-EU	a year ago	PC malware statistics, Q2 2022