News Hub

BlackByte ransomware using dangerous new data theft tool

Written by Thu 27 Oct 2022

Hooded Individual, Ransomware Image

An affiliate of notorious ransomware-as-a-service operation, BlackByte, has added a dangerous custom data exfiltration tool called ‘Infostealer.Exbyte’.

The malware, written in Go for Windows computers, steals data from a victim’s network and uploads it to the Mega cloud service for extortion purposes.

“Following the departure of a number of major ransomware operations such as Conti and Sodinokibi [also known as REvil], BlackByte has emerged as one of the ransomware actors to profit from this gap in the market,” reported Symantec’s Threat Hunter Team.

To date, the BlackByte operation has been used to attack organisations in at least three critical infrastructure sectors, including government, financial, and food and agriculture, within the United States.

“The fact that actors are now creating custom tools to use in BlackByte attacks suggests that is may be on the way to becoming one of the dominant ransomware threats,” the report by Symantec added.

Since appearing in July 2021, BlackByte has rapidly become a major player in the RaaS ecosystem. The group is believed to have attacked the San Francisco 49ers football team earlier this year, holding internal finance data at ransom.

The US government’s Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation went as far as issuing an alert in February 2022 about BlackByte, in recognition of the growing threat it presents.

“Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks,” said a report by the Federal Bureau of Investigation.

It’s typical for BlackByte to steal data from victims and then threaten to either delete or leak the data if a blackmail payment is not made. This development increases the danger of BlackByte and its affiliates, especially as once the Exbyte programme is run, it performs a number of checks to make sure it is not in a sandboxed environment, and if it is, the software stops running, which makes it difficult to find.

Written by Thu 27 Oct 2022

Send us a correction Send us a news tip