Cyberattackers are using BlackByte, a ransomware-as-a-service group, to target critical infrastructure in the United States, including government facilities, financial institutions, and the agriculture industry, according to a recent advisory from the FBI and Secret Service.
The BlackByte group had dropped out of sight for a few weeks, but as of November, its ransomware had compromised many U.S. and foreign businesses, said
the advisory
, released on Feb. 11. In some cases, attackers have used a known Microsoft Exchange Server vulnerability to access victims’ networks, the advisory said.
Shortly after the advisory was released, there were reports of BlackByte being
used to attack
the San Francisco 49ers. The football team said then it was investigating the attack.
Ransomware-as-a-service providers typically offer a subscription-based model allowing other attackers or affiliates to use their available ransomware tools. In many cases, the provider and the attacker share ransom payments.
Ransomware-as-a-service providers are the “new mafia,” said Chris Olson, CEO and co-founder of
the Media Trust
, a digital security provider.
“Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth,” he added. “As we are seeing with small players like BlackByte, as the cybercriminal underclass grows, so will the black market for ransomware, malware, exploits, and sensitive data harvesting.”
Ransomware-as-a-service allows almost anyone to become a cyberattacker, he told the Washington Examiner. “With these shadow markets in place, hacking skills aren’t needed to target organizations across any industry,” he said. “Nation-states, terrorist groups, and profit-seekers can infiltrate a business by simply paying someone else to do it for them.”
BlackByte first appeared in mid-2021, often targeting healthcare and manufacturing companies, cybersecurity researchers said. Ransomware-as-a-service providers typically advertise their services in hacker forums. Their services lend “a false sense of empowerment, confidentiality, and security to those bad actors wishing to harm but who are otherwise lacking in the expertise to carry out said attack,” said Tara Lemieux, senior associate at
Schellman
, a security and privacy compliance assessor.
BlackByte’s original ransomware efforts were dealt a blow when cybersecurity researchers from Trustwave released a
free decryption tool
that allowed companies to recover files encrypted by the BlackByte ransomware. However, the new alert from the FBI and Secret Service suggests that a new version of the ransomware streamlines the encryption process.
While researchers say BlackByte appears to be a small ransomware group, its efforts are still concerning. “The business of ransomware has evolved,” Lemieux told the Washington Examiner. “Previously, businesses would simply pay for the release of its data. Now, hackers will often spend weeks or months on a company’s network undetected to gather sensitive information to use in extortion. What this means is that one ransomware attack can crush a business.”
To mitigate against BlackByte ransomware, the FBI and Secret Service recommended that organizations and businesses take several steps, including:
- Frequently back up all their data, with backups stored in password-protected, offline locations.
- Install and regularly update antivirus software.
- Regularly patch software and operating systems.
- Audit user accounts with administrative privileges and give users the lowest privileges they need to do their jobs.
- Warn users about emails received from outside the organization.
- Disable hyperlinks in received emails.
However, in some cases, ransomware attacks are targeted at specific organizations, resulting in weeks of planning by attackers, noted David Nuti, senior vice president of
Nord Security’s
North American operations.
“A ransomware attack does not occur as a result of an unsuspecting user clicking a link they shouldn’t have, although an action like that may be the action that began a lengthy and sophisticated process,” he told the Washington Examiner. “A successfully launched ransomware attack generally involves weeks or months of a bad actor exploring and infiltrating a business IT environment.”
Nuti recommended that organizations work with security solutions providers that offer comprehensive cybersecurity protections and work to identify technology compromises and sophisticated social hacking.
“Consider all endpoints in a proactive security strategy — offices, devices, application endpoints,” he added. “This includes remote users, especially in the age of bringing your own device.”
