Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

BlackByte: Free Decryptor Released for Ransomware Strain

But Name-and-Shame Attackers Likely Retooling After Spotting Encryption Problems
BlackByte: Free Decryptor Released for Ransomware Strain
BlackByte ransom note with victim's key highlighted (Source: Trustwave)

A free decryptor for BlackByte ransomware has been released by security researchers who cracked the crypto-locking malware's encryption.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

Trustwave, a Chicago-based cybersecurity and managed security services provider owned by Singaporean telecommunications company Singtel Group Enterprise, on Friday announced the release of the free decryptor, available for download from GitHub.

The firm says it obtained the malware sample that it analyzed as part of a digital forensics and incident response engagement. The company declined to share any detail about the victim, such as the sector or geographies in which it operates, and said it's also not clear how the victim was initially infected.

Unfortunately, the underlying encryption problem in BlackByte is likely in the process of already being fixed by the malware's developer, says Karl Sigler, senior security research manager, Trustwave SpiderLabs.

"Information security has always been and will always be a cat and mouse game between the good guys and malicious attackers," he tells Information Security Media Group. "In this specific case, however, it appears that the actors behind BlackByte realized the weakness in their encryption mechanism and already took the key offline even before our analysis or decryptor was released. Most likely, they realized the flaw and are looking to retool and rerelease."

Weak Encryption in Malware

But the flaw means that anyone who was hit with a version of the malware containing the encryption weakness should be able to decrypt their files for free.

"Based on the encryption key going offline, this specific version is likely dead for all intents and purposes," Sigler says. "We're actively monitoring to see if the ransomware family is being revised or resurrected for a new campaign. Attackers commonly retool their ransomware weapons instead of creating completely new ones."

Trustwave says it has not attempted to contact any alleged victims of BlackByte.

"We have not reached out to any of the alleged victims, nor do we have any insight into who may have been affected by this ransomware beyond the organization that engaged with our digital forensics and incident response team to investigate the ransomware further," Sigler says. "Our hope is that by publicly releasing a detailed analysis on the ransomware and the decryption tool, we can help organizations, law enforcement, and other security firms understand the threat and take the necessary precautions and actions themselves."

BlackByte: Not a Major Player

Most ransomware developers today run ransomware-as-a-service operations, in which they recruit affiliates to infect victims with their malware, and then promise to share the proceeds whenever a victim pays.

Security experts say the biggest and most advanced ransomware operations, which often pursue big-gaming hunting - meaning targeting big organizations in search of larger ransoms - include BlackMatter, formerly known as DarkSide; Conti; LockBit; and REvil, aka Sodinokibi; and Ryuk. BlackByte, however, doesn't appear to be a major player, at least yet.

Based on 137,537 submissions to Emsisoft and the free ID Ransomware site, and excluding Stop/Djvu ransomware (Source: Emsisoft)

To try and force victims to pay, many ransomware operations run dedicated data-leak sites, reachable only via the anonymizing Tor network. Since Oct. 4, for example, Israeli threat intelligence firm Kela says these 12 ransomware groups have listed fresh victims on their data leak sites: AtomSilo, Avos, BlackByte, BlackMatter, Conti, Grief, Hive, LockBit, Pysa, REvil/Sodinokibi, Spook, Vice Society and Xing. Many other ransomware operations, however, including Ryuk, do not run data-leak sites.

Fresh BlackByte Victims Listed

BlackByte appears to have recently redesigned its data-leak site. Previously, the site listed victims and a link to download samples of stolen files, "but the ransomware itself does not have any exfiltration functionality," Trustwave notes in a technical analysis. "This is just probably to scare their victims?"

The latest victims posted to BlackByte's site, respectively appearing on Friday and Thursday, were a U.S.-based fire alarm and sprinkler installation system firm, as well as a U.S.-based manufacturer of disposable infection control products for the healthcare sector.

As of Friday, countdown timers for the victims respectively listed 28 days and 27 days as being left to pay an unspecified ransom amount. For both, a "download free" link led to the Anonfile anonymous file-downloading service, which hosted a file for each, of less than 5MB, containing allegedly stolen data.

It's not clear when the alleged victims were hit with ransomware, and if it might have been with a fresh version that fixed the encryption flaws spotted by Trustwave - and potentially others.

Timing-wise, typically attackers will use their data-leak site to try and name and shame victims into paying, days or weeks after a victim has rebuffed their initial demands.

But it's not clear if any of the allegedly stolen information is sensitive, or was obtained by attackers via any advanced hacking techniques.

"The exfiltrated files seemed like a bluff to Trustwave researchers, as BlackByte has no exfiltration functionality," Sigler says. If so, this would hardly be the first time that ransomware-wielding attackers lied about having stolen sensitive data.

"If the actors somehow did get a hold of files from any victims, it was through some other channel or potentially grabbed during the initial compromise as a separate task," he says.

Technical Analysis

According to the technical analysis of the version of BlackByte obtained by Trustwave, the malware gets delivered onto a system by using a JavaScript launcher file.

The file is part of a process designed to decode and launch the malicious payload, which is a .NET DLL file designed to evade the Microsoft Antimalware Scan Interface and prepare a system for having most of its files get forcibly encrypted. Trustwave says the malware can also adjust registry settings to escalate privileges, identify other systems via Active Directory and mount external drives.

For this worm-like capability, "this malware does not require Active Directory administrator-level access," Sigler says. "Instead, it uses a common 'pass the hash' technique using the local LocalAccountTokenFilterPolicy registry key to gain access to the local admin. It then uses that elevated local access for network and share enumeration."

For systems identified via Active Directory, the malware can send a "magic packet" that executes a wake-on-LAN command, which wakes offline devices so they can be encrypted

BlackByte's JavaScript execution flow (Source: Trustwave)

Like many other types of ransomware, however, Trustwave says BlackByte first checks a system's default language to see if the device appears to be located in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Russia, Tajikistan, Turkmen, Ukraine or Uzbekistan. If so, the malware quits.

Security experts say most ransomware operators appear to be Russian speakers, and will avoid attacking targets in Russia or any other countries that were part of the Soviet Union, to try and avoid reprisals from local law enforcement agencies.

For infections that do proceed, Trustwave says the version of BlackByte it analyzed would download a supposed PNG image file from an external server, which contains the information needed by the ransomware to generate a key and encrypt files. "If the ransomware fails to download the key, it will crash and will save the infected system from getting its files encrypted," it says. Otherwise, the ransomware begins enumerating drives for encryption, it says, using an "AES symmetric-key algorithm" derived from the PNG image file.

The required PNG file is no longer online, Trustwave says, which underpins its analysis that BlackByte's developers have likely already spotted the weak encryption and are preparing a fresh version of their ransomware.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.