Chris Swagler | February 15th, 2022

The United States Federal Bureau of Investigation (FBI) confirmed that the BlackByte ransomware group breached at least three organizations’ networks from United States critical infrastructure sectors. BlackByte is a Ransomware-as-a-Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers. Confirmation of the attacks was disclosed in a TLP: White (Traffic Light Protocol) and a joint cybersecurity advisory coordinated with the United States Secret Service. The federal law enforcement agencies explained that the BlackByte ransomware group compromised businesses from at least three critical infrastructure sectors (government facilities, financial, and food & agriculture).

The joint advisory provided organizations with indicators of compromise (IOCs) to help them detect and defend against BlackByte’s attacks. The IOCs associated with BlackByte activities include MD5 hashes of suspicious ASPX files discovered on compromised Microsoft Internet Information Services (IIS) servers and a list of commands used by ransomware operators during attacks.

Furthermore, the NFL’s San Francisco 49ers franchise is recovering from a BlackByte ransomware attack over Super Bowl weekend. The threat actors are claiming responsibility for the attack and stealing data from the organization’s servers. BlackByte has thus far leaked almost 300 MB of files on their data leak blog. The ransomware attack on the 49ers only caused a temporary disruption to a portion of the organization’s IT network.

Since July 2021, the BlackByte ransomware operation has been actively targeting corporate victims worldwide and is known for gaining initial access to their enterprise targets’ network by exploiting software vulnerabilities, including Microsoft Exchange Server. This illustrates that companies need to keep their servers updated to block any potential attack.

A cyber security company developed and released a BlackByte decryptor allowing victims to restore their files for free after the ransomware group used the same decryption/encryption key in multiple attacks. Two agencies also shared a list of measures to help admins mitigate BlackByte attacks and other ransomware variants.

With the most recent warning and joint cybersecurity advisory from the FBI, Secret Service, and a number of other global security agencies regarding ransomware targeting organizations in the critical infrastructure sectors, it’s important for companies to stay ahead of the current threat landscape and keep their servers and security networks updated preventing potential ransomware threats. At SpearTip, our certified engineers specialize in handling breaches with one of the fastest response times in the industry. Our Security Operations Centers are working 24/7/365 in an investigative cycle monitoring networks for any threats and ready to respond to incidents at a moment’s notice. Our ShadowSpear Platform is designed to integrate with the most complex networks and works with IT and OT technology in protecting the environments from devasting compromises.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.