BlackByte ransomware returns with new tactics, targets VMware ESXi

News
By
published

BlackByte also stops exclusively using commercial remote desktop tools

ID theft
Image credit: Pixabay (Image credit: Future)
Jump to:

The ransomware operators known as BlackByte appaear to have shifted tactics, pivoting away from targeting vulnerable devices and focusing instead on flawed VMware ESXi hypervisors.

The group has also started using remote desktop software sanctioned by the victim organization, instead of deploying commercial software themselves, new research from Cisco Talos has claimed.

In a blog post, Talos IR researchers said while BlackByte “continues to leverage tactics, techniques, and procedures (TTPS) that have formed the foundation of its tradecraft since its inception,” it was also recently seen using techniques that “depart” from that. Namely, taking advantage of CVE-2024-37085, an authentication bypass vulnerability found in VMware ESXi.

BlackByte and Conti

Talos IR also argues that BlackByte is significantly more active than its data leak site would imply. In fact, the researchers believe only 20-30% of successful attacks end up on the data leak site. They don’t know for certain why BlackByte publishes only a handful of its activities, but we can speculate that many victims end up paying the ransom, if that means keeping the breach private.

BlackByte was first spotted in mid-2021, with researchers believing the group spun out off the defunct Conti ransomware group. For those unaware, Conti was a major ransomware player in the months leading up to the Russian invasion of Ukraine. At the start of the war, Conti publicly expressed its support for the Russian war machine, drawing fury from its affiliates, many of whom were Ukrainian.

Soon after, Conti’s source code, as well as thousands of private messages, were leaked by disgruntled affiliates, which ultimately led to the group’s disbandment. Since the source code leaked, different other groups stepped in, with BlackByte likely being one of them.

This group is known for using vulnerable drivers to bypass security controls, and for deploying self-propagating ransomware with worm-like capabilities. It was also observed using known-good system binaries (LoLBins), and other legitimate commercial tools.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Interlock ransomware attacks highlight need for greater security standards on critical infrastructure
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
59 organizations reportedly victim to breaches caused by Cleo software bug
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
An abstract image of padlocks overlaying a digital background.
BeyondTrust says hackers hit its remote support products
Ransomware
BT Group says it was forced to take some servers offline following ransomware attack
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
GenMachine Zhi mini pc

This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
See more latest
Most Popular
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Maserati MC20 Autonomous
This AI-driven Maserati just hit 197.7mph without a human behind the wheel
AI data center
Is Microsoft hesitating on AI? Days after CEO said it would be upping capacity, analyst claims tech giant has actually cancelled data center leases
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
Copilot on a laptop
Microsoft quietly updates Copilot to cut down on unauthorized Windows activations
Shure MoveMic 88+ lifestyle image
Shure's tiny MoveMic 88+ gives creators a cheap and easy way to record crystal clear audio on a smartphone