At least one affiliate of the high-profile ransomware-as-a-service (RaaS) group BlackByte is using a custom tool to exfiltrate files from a victim’s network, a key step in the fast-growing business of double-extortion.
The exfiltration tool, dubbed Exbyte, is written in Go for Windows computers, and is designed to upload files to the Mega cloud storage service, according to researchers in Symantec’s Threat Hunter Team this month.
Exbyte lets the affiliate speedily grab a victim’s sensitive internal documents and stash them out of sight, yet another indication of BlackByte’s rising status in the always-dynamic ransomware world. A victim’s network is compromised, and the intruders siphon off data using Exbyte and then lock up the network using BlackByte.
“Following the departure of a number of major ransomware operations such as Conti and Sodinokibi [also known as REvil], BlackByte has emerged as one of the ransomware actors to profit from this gap in the market,” the Symantec team wrote in a report. “The fact that actors are now creating custom tools to use in BlackByte attacks suggests that is may be on the way to becoming one of the dominant ransomware threats.”
BlackByte emerged in July 2021 and quickly became a significant group in the RaaS space. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) and FBI in February issued an alert [PDF], noting that the ransomware had been used multiple times to attack US and foreign businesses, including at least three organizations in critical infrastructure sectors – government, financial, and food and agriculture – in the United States.
The BlackByte group also was behind an attack on the San Francisco 49ers football team in February.
Symantec says the BlackByte RaaS operation is run by a crew it calls Hecamede and that in recent months, the ransomware has been among the most widely used in attacks. Trend Micro in a report noted the BlackByte operators not only enable affiliates to use its malware directly but also to be able to deploy it in their own attacks.
As a RaaS, BlackByte ad its back-end infrastructure are basically rented out to criminals to use, with the Windows malware’s operators taking a cut of any ill-gotten gains from the use of its code.
Like a growing number of other ransomware gangs, BlackByte and its affiliates also are in the data-extortion racket, stealing data and threatening to publicly leak it or even erase it if victims don’t make the demanded payment.
Exbyte is not alone as a custom data-exfiltration tool. Symantec researchers pointed to the file-stealing Exmatter detected in November 2021 and used by the BlackMatter ransomware gang and, later, in Noberus ransomware attacks. There also is the Ryuk Stealer and StealBit, which they said is linked to LockBit.
Some groups, such as Karakurt, are skipping the encryption step entirely and going straight to data exfiltration and extortion. The extortion-only trend is growing as threat groups are avoiding the fiddly programming and cryptography needed to scramble and unscramble a victim’s files using keys kept on remote backend servers, and going for simple data collection.
Once executed, Exbyte runs a number of checks to ensure it’s not in a sandboxed environment to make it more difficult for security teams to analyze the malware. It also checks for running processes of eight applications and for antivirus or sandbox-related files.
Such checks are similar to those run by the BlackByte ransomware payload itself, as Sophos researchers outlined in a report earlier this year.
The tool then grabs document files on the compromised system and exfiltrates the files, uploading them to a folder created by the malware on Mega, with credentials for the Mega account hardcoded into Exbyte. See the Symantec report for technical details on how to detect it.
Recent BlackByte infections have involved miscreants exploiting ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange servers and using tools such as AdFind, AnyDesk, NetScan, and PowerView to move through a network before or while deploying the file-scrambling ransomware payload. They also deploy version 2.0 of the BlackByte ransomware in newer attacks. ®