bustersrefa.blogg.se - Ransomwhere tool

Schtasks.exe /DELETE /TN \"Raccine Rules Updater\" /F It disables Raccine, which is an anti-ransomware utility, using these commands: T1562.001 - Impair Defenses: Disable or Modify Tools "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes It also modifies firewall settings to enable linked connections: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled It also controlled folder access using PowerShell:

T1222 - File and Directory Permissions Modification It uses mountvol.exe to mount volume names and icacls.exe to modify the access on the volume to "Everyone."Ĭ:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q It initially arrives as an obfuscated Java Script file which will be decoded upon execution. T1140 - Deobfuscate/Decode Files or Information This ransomware modifies the registry to elevate local privilege and enable linked connections. It creates a scheduled task to execute its java script to proceed with its routine on bootup. T1053.005 - Scheduled Task/Job: Scheduled Task It has been observed to be using the ProxyShell exploit to deliver China Chopper web shell as its initial arrival. T1190 - Exploit Public-Facing Application This report is reflected in our own telemetry data as seen in the next section. In fact, reports indicate that BlackByte is among the ransomware operations that have set their sights on Latin American governments in May 2022. BlackByte has been known to use phishing emails or exploit unpatched ProxyShell vulnerability in Microsoft Exchange Servers to gain initial access into a system.īlackByte trajectory seems to point to continuing activity.

Involves phishing emails or a known ProxyShell vulnerability for initial access.

For example, it uses the remote tool AnyDesk to gain further control over a system and for lateral movement. Like most modern ransomware variants, BlackByte uses living-off-the-land binaries. This is because the BlackByte ransomware is incapable of exfiltrating data, instead it archives files using WinRAR then uploads the file to sharing sites. In BlackByte campaigns data exfiltration is done before the ransomware is deployed. The more recent Go-variant was introduced around February 2022 and sported modifications particularly in its encryption algorithm. Operators then released two Go-based variants. The first known version of BlackByte was written in C#. This allowed researchers to create a decrypter to help BlackByte victims, thus forcing the group to change their encryption method in newer variants. It also used AES, a symmetric key algorithm. The earlier variant of BlackByte used the same key in each campaign to encrypt files. We have listed down the key highlights of BlackByte here: While BlackByte operators use their piece of ransomware in attacks for their own gain, they also run on a ransomware-as-a-service (RaaS) model for their affiliates.

What do organizations need to know about BlackByte? However, like LockBit, RansomEXX, and many other ransomware families, BlackByte avoids attacking Russia-based entities. With the purported shut down of Conti, researchers from AdvIntel surmise that BlackByte is one of the chief new ransomware variants part of its rebranding.Īt present, BlackByte continues to target organizations from all over the world. This however did not stop BlackByte as developers released newer versions that used multiple keys and ramped up operations, going as far as to warn their victims against using the available decrypter on their website.īlackByte’s emergence could be part of a larger scheme. On October 2021, Trustwave released a publicly available decrypter for BlackByte. This advisory shows just how BlackByte was actively establishing itself as a new noteworthy ransomware variant. According to a joint advisory by these two government agencies, BlackByte had already gone after at least three US critical infrastructure sectors (government facilities, financial, and food and agriculture) by November 2021. Its first year of activity garnered the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). View infographic of "Ransomware Spotlight: BlackByte"īlackByte debuted in July 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of a getting a payout. BlackByte is a ransomware group that has been building a name for itself since 2021.