lifars.com Open in urlscan Pro
208.97.144.40  Public Scan

Form analysis
2 forms found in the DOM

GET https://lifars.com/

<form id="nav-search-form" role="search" method="get" class="align-items-stretch form-inline mt-2 mt-lg-0" action="https://lifars.com/"> <input type="search" placeholder="Search lifars.com" class="d-flex rounded-0 py-1 border-0" aria-label="Search"
    value="" name="s"></form>

POST /2021/11/new-but-odd-blackbyte-ransomware-reusing-crypto-keys-and-worms-into-networks/

<form action="/2021/11/new-but-odd-blackbyte-ransomware-reusing-crypto-keys-and-worms-into-networks/" method="post"> <label for="target_email">Send to Email Address</label> <input type="email" name="target_email" id="target_email" value=""> <label
    for="source_name">Your Name</label> <input type="text" name="source_name" id="source_name" value=""> <label for="source_email">Your Email Address</label> <input type="email" name="source_email" id="source_email" value=""> <input type="text"
    id="jetpack-source_f_name" name="source_f_name" class="input" value="" size="25" autocomplete="off" title="This field is for validation and should not be changed"> <img style="float: right; display: none" class="loading"
    src="https://lifars.com/wp-content/plugins/jetpack/modules/sharedaddy/images/loading.gif" alt="loading" width="16" height="16"> <input type="submit" value="Send Email" class="sharing_send">
  <a rel="nofollow" href="#cancel" class="sharing_cancel" role="button" title="Cancel">Cancel</a>
  <div class="errors errors-1" style="display: none;"> Post was not sent - check your email addresses!</div>
  <div class="errors errors-2" style="display: none;"> Email check failed, please try again</div>
  <div class="errors errors-3" style="display: none;"> Sorry, your blog cannot share posts by email.</div>
</form>

Text Content

CALL TODAY! +1 212 222 7061
 * Home
 * Contact Us
 * Blog
 * 24×7 Cyber 911 Response


Report incident
 * Incident Response & Forensics
   * Digital Forensics Services & Investigation
   * Cyber Incident Response Retainer
   * Cyber Incident Response
   * Data Breach Response
   * Digital Forensics
   * Ransomware Response
   * Bitcoin Payments
 * Proactive Security
   * Proactive Cyber Defense Services
   * Managed Threat Hunting & Response
   * Remote Cybersecurity Suite
   * The Daily T.R.U.T.H.
   * Remote Worker Cyber Resilience
   * Post Ransomware Threat Hunting Services
   * Cyber Threat Hunting
   * Penetration Testing
   * Secure Code Review
   * Phishing Attack Simulation
   * Managed Detection and Response
   * Ransomware Protection Package
   * Business Email Compromise
 * Cyber Advisory
   * Cybersecurity Advisory Services
   * CISO as a Service
   * Gap Assessment
   * Cyber Resilience & Response
   * Compliance Advisory
   * Cloud Security Advisory
   * Project Management as a Service (PMaaS)
   * Tabletop Exercises
   * Cyber Resiliency Training
 * Resources
   * Case Studies
   * Technical Tools
   * Technical Guides
   * White Papers
   * Cyber Interviews, Tips & FAQ
 * Company
   * About LIFARS
   * Notable Cases and Evidence Contribution
   * LIFARS Leadership
   * Clients Advisory Board
   * LISIRT – Computer Security IR Team
   * Cyber Alliances
   * Insurance Panels
   * Cyber Events & Webinars
   * Cyber Press Room
   * Career in CyberSecurity
   * Cyber Security Newsletter
   * Cyber Security Training Videos
   * LIFARS SMS Alerts
   * Hackbits Podcast


NEW BUT ODD BLACKBYTE RANSOMWARE REUSING CRYPTO KEYS AND WORMS INTO NETWORKS

11/16/21


A cybersecurity firm named Trustwave has recently found a new but odd form of
ransomware during its recent incident response engagement. Researchers have
dubbed it BlackByte ransomware. It is odd because of some of the function and
design decisions made by its creators. The striking mistakes were using one
encryption key for every victim and obfuscating code that could get bypassed
straightforwardly. Interestingly, the BlackByte ransomware does not target
Russian computers. The given attribute is common among ransomware originating
from Russia.

Do you want to address the information security leadership needs of your
organization? LIFARS brings Chief Information Security Officer Solution. Our
CISOs are highly proficient at establishing, improving, and transforming
Cybersecurity Programs.


WHAT IS BLACKBYTE?

According to BleepingComputer, BlackByte is a ransomware operation. It started
targeting corporate victims across the globe in early July 2021.
BleepingComputer also claims that BlackByte ransomware is less active than other
ransomware operations. Nevertheless, it has carried out several cyberattacks
worldwide. So, it is something one should not ignore.


EXPLOITING STANDARD OBFUSCATION TECHNIQUES

A BlackByte ransomware attack initiates when an obfuscated launcher is
introduced on a compromised system. The malware exploits standard obfuscation
techniques. It might incorporate changing variable names, stuffing the file with
unused garbage code, and scrambling the code.


USE OF DOUBLE-EXTORTION

BlackByte has also exploited double extortion within the given space. Threat
actors do not stop after locking up systems but extend a threat to their victims
of leaking their confidential information.

Like other ransomware operators running their leak websites, such as REvil,
Babuk, and Conti, BlackByte also has rolled out its website. Its site claims
that it has exfiltrated from its victims.

However, the surprising thing is that BlackByte does not seem to have an
exfiltration functionality, according to researchers. Thus, the assertion is
likely to persuade victims into paying the ransom.


SELF-PROPAGATION ABILITY

The malware’s self-propagation ability will inquire about a thousand hostnames
from the Active Directory, deliver a wake-on-LAN packet, and infect the
accessible devices. It also converts the program into a worm. While undeveloped,
the worm functionality might prompt considerable spread inside an organization,
as indicated by the expert.


AMATEUR DEVELOPERS BEHIND BLACKBYTE RANSOMWARE

By the design of BlackByte, it seems that the developers behind the ransomware
are inexperienced. Even by all accounts, it does not seem BlackByte is a variant
of a former ransomware family. Karl Sigler has also pointed out that developers
who designed BlackByte ransomware are inexperienced. For the record, he is a
senior security research manager at Trustwave. He also added that it looks like
its developers have written ransomware from scratch, but it is clumsy.

But note here that the BlackByte ransomware has a few resemblances to other
ransomware associated with Russia. For example, it includes forestalling
Russian-language systems similarly to REvil and utilizing network exploitation
to unfold inside networks, just like Ryuk.

The encryption process of BlackByte ransomware also shows that it is a work of
unskilled threat actors. BlackByte uses the same key to encrypt files instead of
using unique keys for each session. But sophisticated ransomware operators
usually employ a unique key in each session. So, one only requires the symmetric
encryption key to get downloaded from the public server to decrypt a file.


FINAL WORDS

It seems that a new BlackByte ransomware gang has entered cyberspace. Given the
number of mistakes it has made in developing its tool, though, this one is a
beginner. Along similar lines, are you dealing with ransomware or cyber
extortion? Well, we can help you with it since our Cyber Incident Response Team
can offer an elite response for your organization.

 

REFERENCES

BlackByte Reuses Crypto Keys and Worms into Networks

BlackByte ransomware decryptor released

BlackByte ransomware decryptor released to restore files for free

A new form of ransomware dubbed BlackByte has emerged

In-depth Analysis of BlackByte Ransomware 


RELATED POSTS

ENCRYPTING YOUR FILES IS NOT ENOUGH FOR RANSOMWARE OPERATORS ANYMORE

Ransomware attacks have become a trend in the malware world, and they are a
goldmine for their operators. The usual modus operandi was to gain initial
access, steal credentials to be able to perform internal recon and lateral
movement and then deploying ransomware to encrypt valuable company data. If the…

In "Cyber Crime Archives"

FREE DECRYPTION TOOL ALLOWS VICTIMS OF NEMUCOD RANSOMWARE TO RETRIEVE FILES

The release of a free decryption tool will help victims of the latest version of
a commonly found ransomware family called Nemucod to retrieve their files
without needing to fork out the ransom. Active since 2015, the Nemucod
ransomware family has remained a common cybersecurity threat ever since. While
researchers…

In "Ransomware Forensic Response"

2021 HAS THE EMERGENCE OF BABUK LOCKER RANSOMWARE

Babuk Locker is a new form of ransomware that just emerged in 2021. This version
of ransomware is like other versions. The similarity is since if the ransom is
not paid, the encrypted dada will be published online. The threat of publication
is used by most ransomwares to push the…

In "Cybersecurity News"


SHARE THIS:

 * 
 * 
 * 
 * 
 * WhatsApp
 * Email
 * Telegram
 * Share
 * 
 * Share
 * Save
 * 





 * Digital Forensics
   * Computer Forensics Services
   * LISIRT – LIFARS Computer Security Incident Response Team
   * Cyber Incident Response Retainer
   * Cyber Incident Response
   * Data Breach Response
   * Digital Forensics
   * Ransomware Response
   * Bitcoin Payments
 * Cybersecurity
   * Proactive Cyber Security
   * Managed Cybersecurity Threat Hunting & Response Service
   * Post Ransomware Threat Hunting Services
   * The Daily TRUTH
   * Remote Worker Cyber Resilience
   * Penetration Testing
   * Secure Code Review
   * Cyber Threat Hunting
   * Phishing Attack Simulation
 * Security Advisory
   * Cybersecurity Advisory and Consulting Services
   * CISO as a Service
   * Gap Assessment
   * Cyber Resilience Subscription
   * Compliance Advisory
   * Cloud Security Advisory Services
   * Tabletop Exercises
   * Cyber Resiliency Training

 * Resources
   * Case Studies
   * Technical Tools
   * Technical Guides
   * White Papers
   * Cyber Interviews, Tips & FAQ
   * Cyber Events
   * Webinars
   * QuBit Conference
 * Company
   * About Us
   * LIFARS Leadership
   * Alliances
   * Clients Advisory Board
   * Join US!
   * Video Gallery
   * Blog
   * Newsletter
   * Press Room
 * Contact Us contact@lifars.com
   (212) 222-7061
   East Coast Address
   LIFARS, LLC
   244 Fifth Avenue
   Suite 2035
   New York, NY 10001
   
   West Coast Address
   LIFARS, LLC
   1041 Market St, #219
   San Diego, CA 92101

--------------------------------------------------------------------------------

© 2021 LIFARS, Your Cyber Resiliency Partner

 * Privacy Policy
 * Cookie Policy




We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok

Send to Email Address Your Name Your Email Address Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.