BlackByte ransomware returns with new tactics, targets VMware ESXi

News
By
published

BlackByte also stops exclusively using commercial remote desktop tools

ID theft
Image credit: Pixabay (Image credit: Future)
Jump to:

The ransomware operators known as BlackByte appaear to have shifted tactics, pivoting away from targeting vulnerable devices and focusing instead on flawed VMware ESXi hypervisors.

The group has also started using remote desktop software sanctioned by the victim organization, instead of deploying commercial software themselves, new research from Cisco Talos has claimed.

In a blog post, Talos IR researchers said while BlackByte “continues to leverage tactics, techniques, and procedures (TTPS) that have formed the foundation of its tradecraft since its inception,” it was also recently seen using techniques that “depart” from that. Namely, taking advantage of CVE-2024-37085, an authentication bypass vulnerability found in VMware ESXi.

BlackByte and Conti

Talos IR also argues that BlackByte is significantly more active than its data leak site would imply. In fact, the researchers believe only 20-30% of successful attacks end up on the data leak site. They don’t know for certain why BlackByte publishes only a handful of its activities, but we can speculate that many victims end up paying the ransom, if that means keeping the breach private.

BlackByte was first spotted in mid-2021, with researchers believing the group spun out off the defunct Conti ransomware group. For those unaware, Conti was a major ransomware player in the months leading up to the Russian invasion of Ukraine. At the start of the war, Conti publicly expressed its support for the Russian war machine, drawing fury from its affiliates, many of whom were Ukrainian.

Soon after, Conti’s source code, as well as thousands of private messages, were leaked by disgruntled affiliates, which ultimately led to the group’s disbandment. Since the source code leaked, different other groups stepped in, with BlackByte likely being one of them.

This group is known for using vulnerable drivers to bypass security controls, and for deploying self-propagating ransomware with worm-like capabilities. It was also observed using known-good system binaries (LoLBins), and other legitimate commercial tools.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.