BlackByte Ransomware Group Exploits VMware CVE-2024-37085 Flaw, Shifts Tactics
The BlackByte ransomware group has re-emerged with an unsettling surge in activity and a refined set of tactics, techniques, and procedures (TTPs) that pose a heightened risk to organizations. Cisco Talos Incident Response‘s recent report provides a sobering assessment of the group’s evolving capabilities and underlines the urgent need for proactive cybersecurity defenses.
First identified in mid-2021, BlackByte has swiftly established itself as a significant player in the ransomware-as-a-service (RaaS) landscape. The group’s initial attacks were notable for their use of vulnerable drivers to bypass security controls and the deployment of ransomware with worm-like capabilities, enabling the malware to spread autonomously across networks. Over time, BlackByte has reengineered its ransomware codebase, incorporating various programming languages such as Go, .NET, and C++, and continuously refining its attack methods.
Cisco Talos’ latest investigation into BlackByte’s activities uncovered a recent attack that showcases the group’s advanced tradecraft. Despite their data leak site suggesting a limited number of victims, Talos IR found evidence indicating that BlackByte has been far more active than previously believed.
In the attack investigated by Talos IR, BlackByte gained initial access to the victim’s network using valid credentials to infiltrate the organization’s VPN. The precise method by which these credentials were obtained remains uncertain due to gaps in telemetry and evidence loss following the ransomware encryption. However, Talos IR suspects that brute-force authentication attacks facilitated by internet scanning were likely responsible, especially given the compromised account’s weak password and basic naming convention.
BlackByte’s preference for exploiting public-facing vulnerabilities, such as the infamous ProxyShell vulnerability in Microsoft Exchange servers, suggests that their shift towards leveraging VPN interfaces for remote access could either represent an opportunistic approach or a slight adjustment in tactics. Once inside the network, the use of the VPN reduced visibility from the organization’s Endpoint Detection and Response (EDR) systems, further complicating detection.
After gaining a foothold, the attackers escalated their privileges by compromising two Domain Admin-level accounts. One of these accounts was used to access the organization’s VMware vCenter server, where the threat actors created Active Directory domain objects for individual VMware ESXi hypervisors. This maneuver effectively joined the ESXi hosts to the domain, enabling the attackers to exploit CVE-2024-37085—a recently disclosed authentication bypass vulnerability in VMware ESXi.
By leveraging this vulnerability, BlackByte gained control over the victim’s virtual machines (VMs), allowing them to modify host configurations and access critical system logs. Talos IR’s investigation revealed that BlackByte’s exploitation of this vulnerability occurred within days of its public disclosure.
BlackByte’s ransomware binary, identified as “host.exe,” was executed from the “C:\Windows” directory across all affected systems. Consistent with previous reports, the binary required an eight-digit numeric string passed to the “-s” parameter to initiate encryption, a hallmark of BlackByte’s encryption process. The ransomware’s “svc” parameter facilitated its installation as a service, transforming infected systems into additional spreaders through self-propagating worm-like behavior.
Talos IR observed that encrypted files were renamed with a new extension, “blackbytent_h,” which has not been previously documented. This new behavior, combined with the deployment of four vulnerable drivers as part of BlackByte’s Bring Your Own Vulnerable Driver (BYOVD) technique, demonstrates the group’s continuous efforts to evolve their tactics and evade detection.
