The FBI and Secret Service have seen signs [PDF] of BlackByte ransomware attacking at least three critical infrastructure sectors in the U.S.
BlackByte Ransomware
BlackByte is a type of ransomware-as-a-service (RaaS) where the creators lease its malware to others in exchange for a percentage of the ransom. The malware was first seen in 2021 when it targeted corporations around the world via software vulnerabilities. The main industries were healthcare, manufacturing, and construction in Australia, Europe, and the U.S. Security firm Trustwave eventually created and released a free decryption tool for victims of BlackByte.
Now, the group appears to be back. They have attacked government facilities, agriculture networks, and financial companies. The alert shares indicators of compromise (IOCs) for administrators to look for within their systems.
Earlier in February, the FBI had also issued a report warning of LockBit 2.0 ransomware. Both LockBit 2.0 and BlackByte ransomware share similar characters. Both are examples of RaaS and both avoid systems that have Eastern European languages as the system and user default. If detected, the malware exits without infecting the machine.
Companies and government agencies can reduce the risk of compromise against ransomware by following security best practices:
- Using strong, unique passwords
- Requiring multi-factor authentication
- Keep operating systems and software up to date
- Remove unnecessary access to administrative network shares
- Use a host-based firewall
- Enable protected files for computers using Windows
As always, the FBI recommends not paying a ransom as it doesn’t guarantee that files will be recovered. It also encourages the creation and use of more ransomware if these groups know they will get paid. Victims can report ransomware incidents to their local FBI field office and/or file a complaint on www.ic3.gov.