The FBI and US Secret Service have released a joint advisory today, warning about the BlackByte ransomware group.
Stating that the BlackByte has compromised several US businesses in critical sectors, the advisory contains MD5 hashes, IOCs, and tips for system admins on detecting and preventing BlackByte ransomware attacks.
Warning Against BlackByte Ransomware
Being active since July last year, the BlackByte gang works on the Ransomware-as-a-service model. We’ve seen most of its victims are corporates and are compromised through various means, Including the exploitations against Microsoft Exchange Servers.
The gang’s malware can encrypt both the physical and virtual systems and has the NFL’s San Francisco 49ers team as its latest victim. The sports team announced being hit by a ransomware attack late last week, causing some disruption in services.
While it’s now recovering, BlackByte, the ransomware group behind this incident, has leaked 300MB worth of stolen data from 49ers on its data leak blog. As it’s now a growing concern, the FBI and the US Secret Service have shared a TLP: WHITE this week. In the advisory, the combined teams wrote;
“As of November 2021, BlackByte ransomware had compromised multiple the US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).”
The advisory contains IOCs of BlackByte activity, MD5 hashes of suspicious ASPX files discovered on compromised Microsoft Internet Information Services servers, and a bunch of commands used by the ransomware actor. Also, the below tips system admins can follow to mitigate BlackByte attacks;
- Implement regular backups of all data stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus software on all hosts, and enable real-time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.
- Ensure routine auditing is conducted for all accounts.
- Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.
