BlackByte Malware Installed on Hacked Microsoft Exchange Servers

BlackByte Malware Installed on Hacked Microsoft Exchange Servers

The BlackByte ransomware group is now infiltrating business networks by exploiting the ProxyShell vulnerabilities in Microsoft Exchange servers. When three Microsoft Exchange vulnerabilities are coupled together, ProxyShell allows unauthenticated, remote code execution on the server.

The following vulnerabilities were addressed by security patches published in April and May 2021:

Threat actors have started exploiting the vulnerabilities since researchers revealed them to penetrate systems and install web shells, coin miners, and ransomware.

According to a thorough report, Red Canary researchers examined a BlackByte ransomware assault. They discovered that the attackers used the ProxyShell vulnerabilities to install web shells on a hacked Microsoft Exchange server.

Threat actors frequently use third-party technologies to get elevated access or deliver malware on a network while launching ransomware assaults. The BlackByte ransomware executable, on the other hand, is critical since it handles both privilege escalation and the ability to worm or move about laterally within the infected system.

The malware sets three registry settings: one for local privilege elevation, one for enabling network connection sharing across all privilege levels, and one for allowing lengthy path values for names, file paths, and namespaces. To avoid last-minute interceptions, the malware erases the “Raccine Rules Updater” scheduled job before encryption. It also uses an obfuscated PowerShell command to delete shadow copies directly through WMI objects. Lastly, hacked files are exfiltrated employing WinRAR to archive data and anonymous file-sharing services like “” or “”

Even though Trustwave published a decryptor for the BlackByte ransomware in October 2021, it is doubtful that the operators are still employing the same encryption techniques that allowed victims to recover their information for free.

As a result, depending on the key used in the attack, you may or may not be able to recover your files using that decryptor. Multiple “new” variations of BlackByte have been discovered in the wild, indicating that the malware writers attempt to avoid discovery, analysis, and decryption.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.