Cisco Talos & BlackByte Ransomware Group

  |  Source: 
Cisco Talos
Information & Technology

Cisco Talos & BlackByte Ransomware Group

Cisco Talos reports activity associated with the BlackByte ransomware group. The threat group has targeted victims worldwide including North America, Colombia, Netherlands, China, Mexico, and Vietnam. Initial access has typically come from exploiting vulnerable services from Microsoft Exchange, such as ProxyShell or SonicWall VPN. Cisco Talos documented an intrusion that had taken place in March 2022. The infection starts with a BAT script executing and installing AnyDesk. A few hours following, a new account is created for persistence, and once again the attackers lay dormant for a few hours until proceeding to tamper with system services, modifying the registry, and creating firewall rules to ultimately deploy the Blackbyte ransomware. The entire infection takes 17 hours to achieve encryption. Commonalities in attacks with Blackbyte have identified a preference for the use of AnyDesk software along with utilizing living-off-the-land binaries (LoLBins).

Get trending threats published weekly by the Anvilogic team.

Sign Up Now