BlackByte is Back and Acting a Lot Like LockBit

Like many ransomware strains, BlackByte has reemerged after a brief hiatus—and in its second iteration has already taken to hacker forums to push a new Tor data leak site that taps some familiar LockBit 3.0 techniques.

The site offers some “sweet deals” for victims (currently there’s only a single victim featured on the site)—organizations can pay $5,000 to extend the deadline for publishing stolen data by 24 hours. There are also pricier options for destroying the data ($300,000) or downloading it for a cool $200,000.

“It is a competitive market for ransomware groups. LockBit is one of the most prolific and active ransomware groups globally. It is not surprising that BlackByte is taking a page out of LockBit’s book by not only announcing a version two of their ransomware operation, but also adopting the pay-to-delay, download or destroy extortion model,” said Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. “It is realistically possible that BlackByte is trying to gain a competitive advantage or even trying to gain media attention in an attempt to recruit and grow operations.”

While “the double extortion model is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams,” she said. “It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted.”

Those willing to pony up under BlackByte 2.0, as its operators call it, might end up frustrated, though—and the gang itself won’t see riches from its labor because, to date, it has failed to properly embed payment addresses from the likes of Bitcoin and Monero so customers can’t take advantage of these options.

“The first rule of a ransomware gang is: If you aim to receive ransom, provide your wallet,” security firm KELA tweeted. “Doesn’t look like new #BlackByte is going to receive any payments…”

“The pay-to-delay publishing of data model is an interesting business innovation. It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom, but want to hedge for a day or two as they investigate the extent of the breach,” said Vectra CTO Oliver Tavakoli.

But “customers” should be beware of such “deals,” even if the payment process is fixed. “I don’t believe for one minute that this group will delete data and not provide it to another criminal group if they are paid enough,” said John Bambenek, principal threat hunter at Netenrich. “It may entice those playing around the darker corners of corporate espionage, but they are floating a trial balloon and we’ll see what bites.”

Noting that “ransomware actors have played around with a variety of models to maximize their revenue,” Bambenek said, “This almost looks like an experiment to see if they can get smaller amounts of money.”

Additionally, he questioned why anyone would pay them anything unless it was for destroying all the data; though, he pointed out, “Attackers, like in any industry, are experimenting with business models all the time.”

The ransomware gang has built quite a reputation since its emergence in 2021, using the ProxyShell attack chain to breach Microsoft Exchange Servers after a well-publicized attack on the San Francisco 49ers. The ransomware made its way onto the radar of the FBI and the Secret Service which warned about attacks on critical infrastructure earlier this year.

“As of November 2021, BlackByte ransomware had compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors (government facilities, financial and food & agriculture),” they wrote in a joint advisory.

It’s also not the first time BlackByte has been hamstrung by a shortcoming. A 2021 vulnerability made it possible for victims to create a decryptor—but the operators have since fixed.

“BlackByte has made some mistakes, such as their error with accepting payments in the new site, which makes me think they may be a little lower on the skill level than others,” said Bambenek “But, open source reporting says they are still compromising big targets, including those in critical infrastructure. The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue like we saw with Colonial Pipeline.”

The group’s reemergence and their modus operandi are indicative of the direction ransomware as a business is taking. “This is a landscape filled with different brands and short-lived alliances. We should view BlackByte less as an individual static actor and more as a brand which can have a new marketing campaign tied to it at any time,” said Tavakoli.

“Ransomware extortion campaigns have become increasingly more creative and damaging. I wouldn’t be surprised if later this year cybercriminals start offering credit services to victims, so the latter can pay ransom in installments; somewhat usurping the role of banks in cyberspace,” said Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network.

Kolochenko questioned the conventional wisdom that advises victims not to pay up. “Despite the fact that many law enforcement agencies are publicly recommending not to pay the ransom, under a narrow set of circumstances it can be the least costly way to minimize the damage of a data breach—subject to rigorous analysis and considerations,” he said.

But victims shouldn’t just pay willy-nilly. “First, an external law firm should carefully assess the legality of payment, for instance, so as not to violate U.S. sanctions when paying in cryptocurrencies as expressly warned by the OFAC,” said Kolochenko. “Second, victims should always bear in mind that payment cannot and does not guarantee that the data will be securely deleted or returned: Copies or backups may have already been shared with third parties unbeknownst to the victim.”

Finally, he noted, “Aftershock attacks are a relatively new phenomenon to consider: Once a wealthy victim pays a ransom, other smaller threat actors immediately try to break in while the vulnerabilities are not yet patched; they’re motivated by the victim’s willingness to pay. In sum, payment of a ransom is a slippery slope that requires meticulous scrutiny both by legal and technical professionals.”