In the previous three months, the BlackByte ransomware group has infiltrated the networks of at least three firms in the US critical infrastructure sectors, according to the FBI. This was revealed in a joint cybersecurity advisory issued by TLP: WHITE and the US Secret Service on Friday.
According to the federal law enforcement agency, BlackByte ransomware had infected multiple the US and foreign businesses as of November 2021, including entities in at least three critical infrastructure sectors in the US, including government facilities, financial institutions, and food and agriculture. BlackByte is a ransomware-as-a-service (RaaS) group that encrypts files on infected Windows host systems, including physical and virtual servers.
The advice focuses on giving businesses indicators of compromise (IOCs) that they may use to detect and protect against BlackByte’s attacks.
MD5 hashes of suspicious ASPX files identified on hacked Microsoft Internet Information Services (IIS) servers, as well as a list of commands used by the ransomware operators during assaults, are among the IOCs connected with BlackByte activity revealed in the warning.
The 49ers ransomware attack
In related news, the San Francisco 49ers of the National Football League reported over the weekend that they are recovering from a BlackByte ransomware attack. The threat actors claimed responsibility for the attack, claiming that they took data from the football organization’s servers and posted around 300MB of files on their data leak blog.
In a statement to Bleeping Computer, the 49ers confirmed the ransomware assault and stated that it only caused a temporary disruption to areas of their IT network. Since at least July 2021, when it began targeting corporate victims around the world, the BlackByte ransomware campaign has been operating.
This gang is notorious for using software vulnerabilities (particularly Microsoft Exchange Server) to get initial access to their enterprise targets’ networks, demonstrating that keeping your servers up to date will almost certainly prevent them from attacking you.
After the ransomware gang used the same decryption/encryption key in many attacks, cybersecurity firm Trustwave produced and released a free BlackByte decryptor in October, allowing some victims to restore their files for free.
The organizations also released a list of steps that administrators can take to protect themselves from BlackByte attacks:
- Make regular backups of all data, which should be stored offline as air gapped, password-protected copies. Ensure that these copies are not editable or deleteable from any system where the original data is stored.
- Implement network segmentation to prevent all machines on your network from communicating with each other.
- Install and update antivirus software on all hosts on a regular basis, and turn on real-time detection.
- As soon as updates/patches are available, install them on your operating system, applications, and firmware.
- Look for new or unknown user accounts on domain controllers, servers, workstations, and active directories.
- User accounts with administrator privileges should be audited, and access controls should be configured with the least amount of privilege in mind. Do not grant administrative privileges to all users.
- Disable any unneeded remote access/Remote Desktop Protocol (RDP) ports, and keep an eye on the logs for any strange activity.
- Consider including an email banner in emails you receive from people outside your company.
- Turn off hyperlinks in emails you’ve received.
- When logging into accounts or services, use two-factor authentication.
- Ensure that all accounts are audited on a regular basis.
- Ensure that all identified IOCs are entered into the network SIEM for ongoing monitoring and alerting.