Chris Swagler | August 22nd, 2022

After disappearing for a while, the BlackByte ransomware group returned with a new data leak website and new extortion techniques they borrowed from LockBit. On dark web forums and through social media accounts the group controls, the BlackByte ransomware operation is promoting its updated features.

The threat actors are naming their new operation “BlackByte version 2.0” and it’s unclear whether the group changed their ransomware encryptor. However, the group released a new Tor data leak website and already has one victim. The ransomware group is employing new extortion tactics allowing victims to pay for an extension on their data being published by 24 hours for $5,000, downloading data for $200,000, or destroying all data for $300,000. Depending on the size and revenue of the victims, the prices will likely change.

According to a cybersecurity intelligence company, BlackByte’s new data leak website’s features are currently broken as the Bitcoin and Monero addresses customers can use to purchase or delete the data are not correctly embedded. BlackByte’s new extortion techniques allow victims to pay to remove their data and other threat actors to buy the data if they wish. The same extortion techniques were first introduced by LockBit when they released their 3.0 version and are considered more as “gimmicks” than as viable extortion techniques.

BlackByte ransomware group launched its operation in the summer of 2021 when the threat operators began breaching corporate networks to steal data and encrypt devices. The group’s highest-profile attack was against the National Football League’s San Francisco 49ers. However, a joint advisory from the Federal Bureau of Investigation (FBI) and Secret Service explains that the group is responsible for attacks on three United States critical infrastructure sectors, including government facilities, financial, and food & agriculture.

Additionally, the agencies issued a warning earlier this year that BlackByte compromised numerous US-based and foreign companies. The group’s threat actors are known for exploiting networks using vulnerabilities and have breached Microsoft Exchange servers using the ProxyShell attack chain in the past. A flaw in their operation was discovered in 2021 which allowed the creation of a free BlackByte decryptor. However, the group’s threat actors found the weakness and fixed the flaw.

With ransomware groups remerging to deploy new extortion techniques, it’s more important for high-profile U.S. and global companies to remain very vigilant on the current threat landscape and regularly update their data network security infrastructure. At SpearTip, our certified engineers are continuously working at our 24x7x365 Security Operations Center monitoring companies’ data networks for potential ransomware threats like BlackByte.

Our engineers work with partners’ teams to investigate the nature of the breach, analyze the data thoroughly, and execute a recovery plan to help return their businesses to their normal operations. Our pre-breach advisory services allow our engineers to examine companies’ security posture to improve the weak points in their networks. We will provide technical roadmaps to ensure companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.