The FBI and US Secret Service today released a joint cybersecurity advisory on pervasive ransomware-as-a-service group BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors — government
facilities, financial, and food and agriculture — as well as others outside the US.
BlackByte is known for encrypting victim files on Windows systems and virtual machines, and according to the FBI and USSS, the attackers exploited “a known Microsoft Exchange Server” vulnerability in some victim systems.
“In some instances, BlackByte ransomware actors have only
partially encrypted files. In cases where decryption is not possible, some data recovery can
occur,” according to the advisory, which includes specific mitigation methods for the ransomware. “A newer version encrypts without
communicating with any external IP addresses. BlackByte ransomware runs executables
from c:windowssystem32 and C:Windows. Process injection has been observed on
processes it creates.”
