Trustwave’s SpiderLabs security researchers have released a free decryptor that victims of the BlackByte ransomware can use to restore their files.
BlackByte uses a raw key and the Advanced Encryption Standard (AES) to encrypt a victim’s files, meaning that anyone in the possession of the raw key would be able to decrypt the data.
The ransomware fetches a .PNG file that contains multiple keys, which Trustwave researchers used to create the decryptor. The free tool is available on GitHub.
Analysis of the malware also revealed that it avoids infecting systems with Russian and ex-USSR languages, that it has worm-like capabilities, and it crashes if the encryption key download fails.
BlackByte was observed preparing the target system before starting the encryption, to make sure that the process isn’t interrupted. It also checks the system language to make sure it doesn’t hit victims in specific geographies.
The malware ensures that the system won’t go to sleep during encryption, and then removes specific applications that can prevent encryption. It also kills processes that might interfere with the operation and, if it finds the Raccine anti-ransomware utility, it uninstalls it from the system.
Furthermore, BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, enables the SMB1 protocol, and grants full access to target drives to anyone.
The malware is also able to enumerate hostnames in the domain from Active Directory, pings the identified ones to ensure they are alive, and then attempts to copy and execute itself on the hosts, Trustwave says.
The ransom note dropped by the malware suggests that the attackers have also stolen data from the victim, but the researchers determined that it does not have any exfiltration functionality. “So this claim is probably designed to scare their victims into complying,” the researchers explain.
Related: Attackers Encrypt VMware ESXi Server With Python Ransomware
Related: Israeli Hospital Targeted in Ransomware Attack
Related: Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations
More from Ionut Arghire
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
