Since mid-2021, BlackByte has made a name for itself as malware that is provided as ransomware-as-a-Service (RaaS) and thus contributes to the spread of ransom extortions on critical infrastructures in the USA. With the help of BlackByte, ransom demands in the amount of several million have already been extorted from some victims, since the demands are given emphasis by the threat of publication of the stolen data. Now there are new variants of the ransomware in circulation, which the security researchers at Zscaler have subjected to a more detailed analysis.
They discovered that the malware actors subjected BlackByte to a redesign and switched from the C# programming language to Go for this purpose. The new Go variant has been in circulation since February 2022 and comes up with many new features and updated encryption mechanisms. Both versions have in common the lateral spread within infested infrastructures and the exfiltration of data before the systems are encrypted. BlackByte also operates with various techniques that are intended to prevent the analysis and uses a variety of dynamic obfuscation algorithms for this purpose.
Before the new versions of BlackByte perform a file encryption in the infected systems, the ransomware first performs an initialization. For example, the system language is compared with an ID value. If an Eastern European language is detected, such as Russian, Ukrainian, Belarusian, Tajik, Armenian or Georgian, among others, BlackByte terminates its activity without performing file encryption. It can be assumed that the threat actors and creators of the malware themselves are located in one of these countries and thus want to prevent law enforcement measures in these countries. The ransomware also creates a mutex with a value that is hardcoded into the malware. If this mutex already exists in the system, BlackByte is terminated. This ensures that only one active instance is running at a time.
Similar to other ransomware families, BlackByte deletes shadow copies to prevent an affected company from being able to recover files from backups. In addition, it shuts down processes that affect business applications and antivirus solutions. BlackByte also terminates and uninstalls an anti-ransomware product called Raccine.
BlackByte is a fully functional ransomware family run by a group of cybercriminals that keeps invading businesses and demanding large ransom amounts. The actors used double methods of extortion, and publish the stolen files of their victims if the ransom is not paid. The ransomware code itself is regularly updated to fix bugs, bypass security software, and make malware analysis more difficult. The continuous updating of BlackByte creates a considerable threat potential for companies.