A new family of ransomware dubbed BlackByte has all the hallmarks of a first-development attempt by amateur malware developers, making significant mistakes — such as obfuscating code in a way that is easily bypassed and using the same encryption key for every victim.
The malware has some similarities to other ransomware linked to Russia, such as avoiding Russian-language systems in the same way as REvil and using network exploitation to spread inside networks in the same way as Ryuk, according to researchers at Trustwave, who published their analysis this week of the variant.
The researchers, who encountered the malicious program when responding to a security incident, also found the program uses a symmetric encryption key that is downloaded from a public server. That allowed them to create a decryption utility to help victims recover their data.
Those poor design choices suggest that the ransomware is not a variant of a previous ransomware family and that the developers are relatively inexperienced in designing ransomware, says Karl Sigler, senior security research manager at Trustwave.
“It looks like they wrote this from scratch,” he says. “But it’s clumsy. It’s very clumsy.”
Ransomware continues to be a popular cybercriminal enterprise in 2021. The number of ransomware attacks in the first half of the year rose 150% to almost 305 million, according to SonicWall’s “Cyber Threat Report: Mid-Year Update.” While the volume of ransomware attacks falls well short of the 2.5 trillion intrusion attempts and the 2.5 billion malware attacks, it does represent the third largest category of security events in the SonicWall report.
Government organizations are being particularly targeted, with 10 times more ransomware attacks hitting government networks than corporate networks. Ryuk, Cerber, and SamSam were the top three malware families, with 197 million — or almost two-thirds — of encountered ransomware belonging to one of those three families.
“[E]ven if we don’t record a single ransomware attempt in the entire second half, which is irrationally optimistic, 2021 will already go down as the worst year for ransomware SonicWall has ever recorded,” the company states in its report.
The growth in ransomware attacks may have convinced the developers behind BlackByte to create their own malware framework, Trustwave’s Sigler says.
A BlackByte attack starts with an obfuscated launcher installed on a compromised system. The malware uses standard obfuscation techniques — basically stuffing the file with a lot of unused garbage code, changing variable names, and scrambling the code — in an attempt to make reverse engineering the program more difficult, according to the company’s analysis.
Yet the Trustwave researchers found that uncovering the code was pretty straightforward, if time-consuming.
The malware checks to see whether the infected system is running Raccine, an open source project that attempts to protect against ransomware; if so, it stops the program and removes it from the system. BlackByte also uses a variety of system commands to delete any on-systems backups — also known as “shadow copies” — to ensure that data cannot be retrieved once encrypted.
The self-propagation capability of the malware, which also makes the program a worm, will query 1,000 host names from the Active Directory, send a wake-on-LAN packet, and then attempt to infect any accessible machines. While rudimentary, the worm functionality could lead to significant spread within an enterprise, Sigler says.
“It seems to be effective — there were several machines affected in the engagement we were involved in,” he says. “It can rapidly spread pretty rapidly.”
While the malware will halt before compromising Russian-language systems, Sigler avoided linking the attack to Russia.
“[That feature] seems to be a common earmark of Russia cybercriminals, but we have not directly attributed the attack,” he says. “It could be that other actors are copying that methodology.”
The seemingly original code and the number of mistakes suggest that a new ransomware gang may be developing their own tools to infect systems rather than using new code created by one of the established groups, Sigler says.
“We are just speculating because we don’t have any specific idea of who the actors are behind it,” he says. “Given how clumsy the code is on the ransomware, I don’t think it is coming from any of the experienced groups that we have seen in the past.”
Research into the new malware appears to have spooked the group to some extent. The BlackByte group appears to be laying low, with the downloadable key no longer available. Thus, the program can no longer run its encryption function.