BlackByte is a ransomware-as-a-service (RaaS) operation that leases out its ransomware infrastructure to others in return for a percentage of the ransom proceeds. The gang emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims worldwide. While BlackByte had some initial success—security researchers tracked attacks against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia—the gang hit a rough patch months later when cybersecurity firm Trustwave released a free decryption tool that allowed BlackByte victims to recover their files for free. The group’s simplistic encryption techniques led some to believe that the ransomware was the work of amateurs; the ransomware downloaded and executed the same key to encrypt files in AES, rather than unique keys for each session.
Despite this setback, it appears the BlackByte operation is back with a vengeance. In an alert posted in mid-February, the FBI and the Secret Service (USSS) warned that the ransomware gang had compromised multiple U.S. and foreign businesses, including “at least” three attacks against U.S. critical infrastructure, notably government facilities, financial services, the food industry, and agriculture.
The advisory, which provides indicators of compromise to help network defenders identify BlackByte intrusions, was released just days before the ransomware gang claimed to have encrypted the network belonging to the San Francisco 49ers. BlackByte disclosed the attack the day before the Super Bowl by leaking a few files it claims to have been stolen.
Brett Callow, a ransomware expert and threat analyst at Emsisoft, says that while BlackByte isn’t the most active RaaS operation, it’s been steadily racking up victims over the past few months. However, he adds that because of recent action by the U.S. government against ransomware actors, the gang might take a cautious approach.
“The FBI and Secret Service advisory states that BlackByte has been deployed in attacks on at least three U.S. critical infrastructure sectors, including government. Interestingly, no such organizations are listed on the gang’s leak site, which could indicate that those organizations paid, that no data was exfiltrated or that BlackByte chose not to release the exfiltrated data,” he said. “That final option is not unlikely: since the arrests of members of REvil, the gangs seem to have become more cautious about releasing data, and especially with U.S. organizations.”
Callow said that while all signs suggest BlackByte is based in Russia, since the ransomware, like REvil, is coded not to encrypt the data of systems that use Russian or Commonwealth of Independent States (CIS) languages. That “shouldn’t be taken to mean the attack was carried out by individuals based in Russia or the CIS.”
“Affiliates may not be located in the same county as the individuals who run the RaaS,” he added. “They could be based anywhere—including the U.S.”