The BlackByte ransomware group is now infiltrating business networks by exploiting the ProxyShell vulnerabilities in Microsoft Exchange servers. When three Microsoft Exchange vulnerabilities are coupled together, ProxyShell allows unauthenticated, remote code execution on the server.
The following vulnerabilities were addressed by security patches published in April and May 2021:
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched through KB5001779)
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched through KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched through KB5003435)
Threat actors have started exploiting the vulnerabilities since researchers revealed them to penetrate systems and install web shells, coin miners, and ransomware.
According to a thorough report, Red Canary researchers examined a BlackByte ransomware assault. They discovered that the attackers used the ProxyShell vulnerabilities to install web shells on a hacked Microsoft Exchange server.
Threat actors frequently use third-party technologies to get elevated access or deliver malware on a network while launching ransomware assaults. The BlackByte ransomware executable, on the other hand, is critical since it handles both privilege escalation and the ability to worm or move about laterally within the infected system.
The malware sets three registry settings: one for local privilege elevation, one for enabling network connection sharing across all privilege levels, and one for allowing lengthy path values for names, file paths, and namespaces. To avoid last-minute interceptions, the malware erases the “Raccine Rules Updater” scheduled job before encryption. It also uses an obfuscated PowerShell command to delete shadow copies directly through WMI objects. Lastly, hacked files are exfiltrated employing WinRAR to archive data and anonymous file-sharing services like “file.io” or “anonymfiles.com.”
Even though Trustwave published a decryptor for the BlackByte ransomware in October 2021, it is doubtful that the operators are still employing the same encryption techniques that allowed victims to recover their information for free.
As a result, depending on the key used in the attack, you may or may not be able to recover your files using that decryptor. Multiple “new” variations of BlackByte have been discovered in the wild, indicating that the malware writers attempt to avoid discovery, analysis, and decryption.