Nuclear plants and other critical infrastructure under attack from BlackByte ransomware

The Federal Bureau of Investigation (FBI) reports that at least three cyberattacks against critical infrastructure in the United States are related to groups operating the BlackByte ransomware. In a notice issued in collaboration with the U.S. Secret Service, the agency mentions that this ransomware as a service (RaaS) group has steadily grown to become a considerable threat.

This weekend, the NFL’s San Francisco 49ers confirmed that their systems were compromised during a cyberattack, just hours after the team’s name appeared on BlackByte’s dark web platform.

Some of these attacks were possible due to the exploitation of a known vulnerability in Microsoft Exchange Server, which allowed initial access to the affected systems. Once inside these targets, the attackers implemented lateral movement tools and performed privilege escalation attacks for the theft and encryption of information in the system.

Affected users will then find a ransom note in each directory or folder where encrypted files are stored. To negotiate with hackers and make the payment in cryptocurrency, victims will need to access a website hosted on the Tor network.

In their alert, the investigative and intelligence agencies claim that in some recorded attacks hackers only partially encrypt the information, so it is possible to remove the encryption to some extent. It was also discovered that some older versions of the BlackByte ransomware downloaded a PNG file before initiating encryption, although newer variants no longer communicate with external IP addresses.

The ransomware generates a process for injecting code and creating scheduled tasks to delete files and execute specific commands. The alert contains a list of indicators of compromise related to BlackByte attacks, plus multiple recommendations on possible mitigation mechanisms, including:

  • Implementation of periodic backups of all your data
  • Use network segmentation so that your devices are not accessible from any other machine
  • Install and update antivirus software on all hosts and enable real-time threat detection

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.