BlackByte, a new ransomware family, bears all the markings of a first-generation attempt by inexperienced malware developers, including obfuscating code in a way that is readily bypassed and employing the same encryption key for each victim.
According to researchers at Trustwave, the virus has certain similarities to other ransomware that was connected to Russia, such as avoiding Russian-language systems like REvil and exploiting network exploitation to propagate inside networks like Ryuk.
They also discovered that the application makes use of a proportionate encryption key obtained from a public server. As a result, the developers built a decryption application to aid victims in recovering their data.
These bad design decisions indicate that BlackByte is not a variation of a prior ransomware family and that the creators are new to the field of ransomware development. It appears to have been written from scratch.
The rise in ransomware operations may have prompted BlackByte’s creators to design their own malware architecture.
A BlackByte attack begins with the installation of an obfuscated launcher on a targeted device. According to Trustwave’s study, the malware applies conventional obfuscation tactics to make reverse-engineering the software more complex, such as filling the file with a lot of useless junk code, altering variable names, and mixing the code.
Nonetheless, the Trustwave researchers discovered that decoding the code was very simple, if time-consuming.
The malware verifies whether the compromised PC has Raccine, an open source project that tries to guard against ransomware. If this is the case, the software is terminated and removed from the system.
To ensure that data cannot be recovered once encrypted, BlackByte employs many system instructions to erase any on-system backups — usually known as “shadow copies.”
The malware’s self-propagation capabilities, which also makes it a worm, will scan 1,000 hostnames from Active Directory, transmit a wake-on-LAN packet, and then try to infect any systems that are accessible. While the worm’s functioning is basic, it has the potential to spread far within an organization.
Analysts avoided connecting the assault to Russia, even though the virus would stop before infecting Russian-language computers. It’s possible that other actors are following that methodology.
The malware appears to be unique and has so many errors, suggesting that a new ransomware gang is building their own tools to infect computers rather than relying on new code developed by experienced gangs.
The group appears to have been frightened by the latest malware research. With the downloaded key no longer available, the BlackByte gang appears to be sitting low. As a result, the program’s encryption function is disabled.