The majority of ransomware hackers nowadays operate as a ransomware-as-a-service business, in which they hire associates to infect victims with their malware, and then promise to split the proceeds if the victim pays.
BlackByte Malware
Just recently, a new strain of malware was discovered in an IT issue that appears to have been influenced by existing strains notorious for reaping significant financial rewards for their operators, but it is most likely the product of amateur hackers.
The Windows-based ransomware, named as BlackByte, is regarded as strange due to several of its design and function elements.
The BlackByte malware was found by the Chicago-based company, Trustwave.
Trustwave is a cybersecurity company that also manages security services that are owned by a Singaporean telecommunications company Singtel Group Enterprise. The company has provided a ransomware decryptor last Friday, October 15, which can be freely downloaded from GitHub.
The decryptor can help victims of the BlackByte ransomware decrypt their systems for free.
Furthermore, the cybersecurity firm believes the malware only targets systems that are not based on Russian or ex-USSR languages in a set of technical warnings released last week.
This is a recurrent tendency in the ransomware, whch is hugely suspected to originate from Russia.
BlackByte Cybercrime Hacking
BlackByte has also exploited what became known as "double-extortion" in this arena, in which malware not only encrypts and locks up systems, but also threatens victims' personal information being released or sold online.
On the Dark Web, modern ransomware operators like Maze, ReEvil, Conti, and Babuk host leak websites for this reason.
According to speculative rumors going around, it has been said that BlackByte has also developed a website that leaks victims' information.
However, the concern of data exfiltration and leaks is unfounded. It was also clarified that BlackByte ransomware does not have the capabilities and resources to do so.
How It Works
As reported by Charlie Osborne of ZDNet, with the given circumstance, even if there is no actual risk of information becoming public, more victims may pay up after infection of the BlackByte malware, especially due to the increase in ransomware and hacking cases around the globe in recent years.
Unskilled threat actors may be at work, according to BlackByte's encryption process.
Instead of using unique keys for each session, as professional ransomware operators do, the software downloads and executes the same key to encrypt data in AES.
Unfortunately, if you can't get the key from the HTTP server, it's hidden in a file called a forest.
In addition, the ransomware application just crashes in PNG format. To display a ransom letter, an RSA key is used once to encrypt the 'raw' key.
Trustwave stated that users infected with the malware only "need the raw key to be downloaded from the host, as long as the .PNG file it downloaded remains the same, you can use the same key to decrypt the encrypted files."
Technical Analysis of BlackByte
According to Bank Info Security, apart from this strange encryption method of BlackByte, the malware makes use of a JavaScript launcher to decrypt the main .NET DLL payload.
The ransomware is loaded into memory, and a victim ID is generated using the processor ID and volume serial number of the infected PC, which is then hashed and sent to the malware's command-and-control (C2) server.
Any process that could prevent file encryption from taking place is terminated, and the SetThreadExecutionState API is utilized to prevent the system from going to sleep.
Furthermore, volume shadow copies are destroyed, Windows restore points are removed, and network discovery is activated. BlackByte also has worm-like powers comparable to Ryuk's, and it will attempt to spread itself across multiple available networks.