BlackByte Ransomware Exploits VMware ESXi Vulnerability in New Attack Wave
The BlackByte ransomware group has recently been identified as exploiting a vulnerability in VMware ESXi hypervisors, signaling a shift in their attack strategy. This group is notorious for using various vulnerable drivers to disable security protections, making their attacks more effective and difficult to detect.
A Brief History of BlackByte Ransomware
BlackByte first emerged in late 2021 as a prominent ransomware-as-a-service (RaaS) group. It is believed to be a splinter group that formed following the dissolution of the infamous Conti ransomware gang. BlackByte quickly gained notoriety by exploiting known vulnerabilities, such as ProxyShell in Microsoft Exchange Server, to gain initial access to target systems. Notably, the group tends to avoid systems that use Russian or Eastern European languages, likely due to connections in those regions.
Similar to other RaaS groups, BlackByte employs a double extortion tactic. This involves not only encrypting the victim’s data but also threatening to release the stolen data publicly if the ransom is not paid. The group maintains a data leak site on the dark web where they post stolen information to pressure victims into complying with their demands. Over time, multiple variants of the ransomware, written in C, .NET, and Go, have been identified.
Exploiting the VMware ESXi Flaw
The recent attack wave by BlackByte is characterized by the exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi. This vulnerability allows attackers to gain unauthorized access to VMware environments, making it a critical security concern.
Cisco Talos, a leading cybersecurity research group, reported that BlackByte is leveraging this vulnerability to pivot from traditional attack methods. The group’s tactics have evolved to include the use of vulnerable drivers, a technique known as Bring Your Own Vulnerable Driver (BYOVD). This allows them to disable security software and execute their ransomware without interference.
In their latest attacks, BlackByte has also used a custom tool called ExByte for data exfiltration, which is deployed before the encryption process begins. This tool enables the group to steal sensitive data and use it for extortion, further increasing the pressure on victims to pay the ransom.
How BlackByte Operates
Cisco Talos investigated a recent attack by BlackByte, revealing that the attackers likely gained access to the victim’s network using valid credentials obtained through a brute-force attack. Once inside the network, the attackers escalated their privileges and accessed the VMware vCenter server. By exploiting the CVE-2024-37085 vulnerability, they were able to create new user accounts with administrator privileges, giving them full control over the virtual environment.
This level of access allows the attackers to control virtual machines, modify server configurations, and access sensitive system logs. The rapid exploitation of this vulnerability, within days of its public disclosure, underscores the speed and agility with which threat actors like BlackByte adapt their tactics to exploit new security flaws.
Impact of the Attack
The recent attacks culminated in the encryption of files, with the file extensions being changed to “blackbytent_h.” As part of the BYOVD attack, the ransomware also dropped four vulnerable drivers on the infected systems, all following a similar naming convention:
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys, also known as Terminator)
- AM35W2PH_3 (gdrv.sys)
The use of these vulnerable drivers highlights the sophistication of BlackByte’s attack strategy. By disabling key security processes, the ransomware is able to operate undetected and maximize the damage inflicted on the target.
Sectors at Risk
According to Cisco Talos, the professional, scientific, and technical services sectors are most vulnerable to these attacks, accounting for 15% of the total observed incidents. The manufacturing and educational services sectors are also at high risk, each representing 13% of the attacks.
Interestingly, Talos notes that the true scope of BlackByte’s activity is likely underreported. They estimate that only 20-30% of the group’s victims are publicly known, suggesting that many organizations either pay the ransom or choose not to disclose the attack.
Evolving Techniques and Languages
BlackByte’s progression from using C# to Go, and more recently to C/C++, in their ransomware code is a clear indication of their intent to evade detection and complicate analysis. Advanced programming languages like C/C++ enable the inclusion of sophisticated anti-analysis and anti-debugging techniques, making it increasingly difficult for security researchers to dissect and neutralize the malware.
Connections to Other Ransomware Groups
The disclosure of BlackByte’s recent activities comes alongside reports from Group-IB, another cybersecurity firm, which has identified connections between other ransomware strains like Brain Cipher and RansomHub with existing groups. Brain Cipher, for instance, shares similarities with ransomware groups such as EstateRansomware and RebornRansomware.
RansomHub, on the other hand, has been observed recruiting affiliates from the Scattered Spider group. This highlights a growing trend of collaboration and overlap between different ransomware groups, making the threat landscape even more complex.
The BlackByte ransomware group continues to evolve, employing new tactics and exploiting recent vulnerabilities to stay ahead of security defenses. The exploitation of the VMware ESXi flaw is just the latest example of how quickly threat actors can adapt to newly discovered vulnerabilities. As organizations continue to rely on digital infrastructure, it is crucial to remain vigilant, apply security patches promptly, and adopt robust security measures to protect against these ever-evolving threats.
Staying informed about the latest developments in ransomware and understanding the tactics used by groups like BlackByte can help organizations mitigate the risks and respond more effectively in the event of an attack.