BlackByte – Examining the Malware’s TTPs
Post Credit: Austin Miller
Last week, we looked at the BlackByte IOCs (which you can catch up on here, if you missed out). But understanding how BlackByte will use when your systems have been compromised is one thing – learning how the adversary will try to infiltrate your security is the best way to find weaknesses in your security posture.
Due to the complex nature of BlackByte, it is a difficult piece of ransomware to handle. Through 22 different tactics, techniques, and procedures (TTPs), the cybercriminals have really put their work into making sure that total infection and destruction is practically guaranteed when the ransomware makes its way onto a network.
In order to defend yourself, study these TTPs and create plans to counter the adversary at every step. Some commentary is offered in each TTP, but developing solutions which are suited to your organization is key to effective cybersecurity practices.
BlackByte – Examining the Malware’s TTPs : The Tactics, Techniques, and Procedures
Understanding the TTPs used by the BlackByte ransomware gang is key to hardening your own perimeter. Although there are at least 22 identifiable TTPs used in typical BlackByte breach, I have focused on eleven that are easily addressed within an organizational cybersecurity setting.
Initial Access
T1190 – Exploit Public Facing Application
BlackByte – in both its original form and the “new and improved” version – targets known weaknesses in the Microsoft Exchange Server. In particular, the ransomware exploits the ProxyShell vulnerability by dropping a webshell – malware that creates a backdoor, allowing for remote code execution. The malware could easily go unnoticed as the .aspx extension is common on servers that run the Windows ASP.NET framework.
To protect yourself, make sure that your systems are patched for the following CVEs:
A 9.8 critical vulnerability which allows remote code execution due to a vulnerability in the Microsoft Exchange Server.
A 9.8 critical vulnerability that allows elevation of privileges due to a vulnerability in the Microsoft Exchange Server.
A 7.2 vulnerability that allows defensive evasion due to a vulnerability in the Microsoft Exchange Server.
Depending on the version of the Microsoft Exchange Server that you use, you will need to update your systems to at least the following updates:
MSE 2013 |
Update 23 |
MSE 2016 |
Update 20 |
MSE 2019 |
Update 9 |
Execution
T1053.005 – Scheduled Task/Job: Scheduled Task
Predictably, scheduled tasks are used to launch the ransomware executable and print ransom notes through any printers attached to the infected network. You can identify them as such:
-
complex.exe -single <SHA256_hash>
This is the BlackByte executable. The hash may be a form of identifier for the victim.
-
cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:Userstree.dll
Launching the command prompt, the trees.dll file – the ransom note – is printed 75 times.
BlackByte also uses PowerShell (T1059.001) and the Windows Command Shell (T1059.003) to launch additional malicious commands on an infected system.
Privilege Escalation
T1112 – Modify Registry
In an effort to escalate local privileges, share network connections, and ensure full encryption, BlackByte launches a tripartite registry modification.
-
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
-
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLinkedConnections /t REG_DWORD /d 1 /f
-
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v LongPaths Enabled /t REG_DWORD /d 1 /f
Defense Evasion
BlackByte uses multiple evasive measures to work around known defenses to ransomware and the outdated 2019 version. Due to the variety of methods that the BlackByte ransomware gang uses, it is difficult to nail down the exact areas that you will need to harden. To make matters even worse, this form of ransomware has already transformed once – the BlackByte gang is evidently capable of changing the malware to make it more potent and extort more ransoms.
Similarly, there is evidence that BlackByte uses Intial Access Brokers (IABs) – cybercriminals who specialize in finding ways where malware can be injected – meaning that their attention is focused on utilizing and improving how they encrypt sensitive data and disrupt businesses.
T1027.002 – Obfuscated Files of Information: Software Packing
T1055 – Process Injection
T1070.004 – Indicator Removal on Host: File Deletion
T1562.001 – Impair Defenses or Modify Tools
T1562.004 – Impair Defenses: Disable or Modify System Firewall
Because of the wide range of TTPs and access to IABs, the only way to protect yourself against BlackByte is through:
- Testing to find the weak spots in your systems with mock ransomware.
- Implementing healthy cybersecurity practices, such as three-factor authentication, access control lists, and patches to cover for elevation of privilege vulnerabilities in the Microsoft Server Exchange.
Lateral Movement
T1021.002 – Remote Services: SMB/Windows Admin Shares
Using Cobalt Strike, BlackByte creates SMB shares which spread the ransomware throughout the network. AnyDesk is the program that is distributed via SMB.
Air-gapping critical backups is the best way to stop the ransomware from grinding your business operations to a halt, especially since there seems to be no way for the BlackByte gang to extract information after they have encrypted systems.
Impact
T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
In case my earlier warning about the pros of air-gapping sensitive data fell on deaf ears, here is where BlackByte destroys businesses which don’t have secure backup plans. The following commands are used to identify, resize, and delete volume shadow copies:
-
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
-
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
At this point, all shadow storage is resized.
-
powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x
This PowerShell command then deletes the shadow copies, causing catastrophic levels of data loss if no backups are available.
BlackByte – Examining the Malware’s TTPs – How Do We Stop It?
By examining the TTPs used by the BlackByte ransomware, we can show exactly how this malicious software infects, encrypts, and destroys systems to extract ransom payments from would-be victims. A sophisticated understanding of the MITRE ATT&CK framework and understanding how you can apply it to your business is necessary for combating BlackByte-like malware and creating policies and playbooks for stopping cybercriminals.
For BlackByte in particular, the most effective advice is patching. Using the Microsoft Server Exchange patches will stop the ransomware before it can enter your system, avoiding the difficult and painful business of wiping and restoring your organization from air-gapped backups. But because these cybercriminals have sophisticated methods, understanding the ATT&CK framework and implementing it in your organization is key to staying one step ahead of the adversary.