US Critical Infrastructure Breached by BlackByte Ransomware

The United States Federal Bureau of Investigation (FBI) confirmed that the BlackByte ransomware group breached at least three organizations’ networks from United States critical infrastructure sectors. BlackByte is a Ransomware-as-a-Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers. Confirmation of the attacks was disclosed in a TLP: White (Traffic Light Protocol) and a joint cybersecurity advisory coordinated with the United States Secret Service. The federal law enforcement agencies explained that the BlackByte ransomware group compromised businesses from at least three critical infrastructure sectors (government facilities, financial, and food & agriculture).

BlackByte Ransomware Breached US Critical Infrastructure

The joint advisory provided organizations with indicators of compromise (IOCs) to help them detect and defend against BlackByte’s attacks. The IOCs associated with BlackByte activities include MD5 hashes of suspicious ASPX files discovered on compromised Microsoft Internet Information Services (IIS) servers and a list of commands used by ransomware operators during attacks.

Furthermore, the NFL’s San Francisco 49ers franchise is recovering from a BlackByte ransomware attack over Super Bowl weekend. The threat actors are claiming responsibility for the attack and stealing data from the organization’s servers. BlackByte ransomware has thus far leaked almost 300 MB of files on their data leak blog. The ransomware attack on the 49ers only caused a temporary disruption to a portion of the organization’s IT network.

Since July 2021, the BlackByte ransomware operation has been actively targeting corporate victims worldwide and is known for gaining initial access to their enterprise targets’ networks by exploiting software vulnerabilities, including Microsoft Exchange Server. This illustrates that companies need to keep their servers updated to block any potential attack.

A cyber security company developed and released a BlackByte decryptor allowing victims to restore their files for free after the ransomware group used the same decryption/encryption key in multiple attacks. Two agencies also shared a list of measures to help admins mitigate BlackByte ransomware attacks and other ransomware variants.

• Implement regular backups of all data, which needs to be stored offline as air-gapped, password-protected copies. Ensure the copies can’t be accessed for modification or deletion from any system where the original data is stored.
• Implement network segmentation so no machine on the company’s network can access every other machine.
• Install and update antivirus software on all hosts regularly allowing real-time detection.
• Install updates/patches operating systems, software, and firmware when updates/patches are available.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

With the most recent warning and joint cybersecurity advisory from the FBI, Secret Service, and a number of other global security agencies regarding ransomware targeting organizations in the critical infrastructure sectors, it’s important for companies to stay ahead of the current threat landscape and keep their servers and security networks updated preventing potential ransomware threats. At SpearTip, our certified engineers specialize in handling breaches with one of the fastest response times in the industry. Our Security Operations Centers are working 24/7/365 in an investigative cycle monitoring networks for any threats and ready to respond to incidents at a moment’s notice. Our ShadowSpear Platform is designed to integrate with the most complex networks and works with IT and OT technology to protect the environments from devasting compromises.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.