Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Analysis of BlackByte Ransomware's Go-Based Variants

JAVIER VICENTE, BRETT STONE-GROSS
May 03, 2022 - 23 min read

Key Points

  • BlackByte is a full-featured ransomware family that first emerged around July 2021
  • The ransomware was originally written in C# and later redeveloped in the Go programming language around September 2021
  • The threat group exfiltrates data prior to deploying ransomware and leaks the stolen information if a ransom is not paid
  • The group has demanded multi-million dollar ransoms from some victims
  • BlackByte ransomware employs various anti-analysis techniques including a multitude of dynamic string obfuscation algorithms
  • In early versions of the ransomware, file encryption utilized a hardcoded 1,024-bit RSA public key along with a 128-bit AES key that was derived from a file retrieved from a command and control server
  • More recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC) for asymmetric encryption and ChaCha20 for symmetric file encryption

 

Introduction

BlackByte is a Ransomware-as-a-Service (RaaS) group that has been targeting corporations worldwide since July 2021. Previous versions of the ransomware were written in C#. More recently, the authors redeveloped the ransomware using the Go programming language. The BlackByte Go variant was used in attacks described in an FBI advisory that warned BlackByte had compromised numerous businesses, including entities in US critical infrastructure sectors. In this post, Zscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware.

 

Technical Analysis

 

Variants

ThreatLabz has identified two variants of the Go-based variant of BlackByte. The first variant was seen in-the-wild around September 2021 and shares many similarities with the C# version including the commands executed to perform lateral propagation, privilege escalation, and file encryption algorithms. A more recent Go-based variant was introduced around February 2022. This new variant introduced many additional features and updated the file encryption algorithms. In this blog, for brevity, the Go-based BlackByte variant 1 will be referred to as BlackByte v1 and the second variant will be referred to as BlackByte v2.

 

Initialization

Before BlackByte performs file encryption, the ransomware first performs initialization. Most of these initialization functions are very similar or identical to the C# variant of BlackByte.

 

Mutex Creation

BlackByte creates a mutex using a value that is hardcoded in the malware, for example: Global\7b55551e-a59c-4252-a34a-5c80372b3014. If the mutex exists, BlackByte will terminate. This ensures that there is only one active instance of BlackByte running at a time.

 

Identify System Language

BlackByte ransomware resolves the victim's system language by comparing the language ID values with those shown in Table 1. If the system language matches any from this list, BlackByte will exit without performing file encryption.

 

Language ID

Language

1049

Russian

1058

Ukrainian

1059

Belarusian

1064

Tajik

1067

Armenian

1068

Azerbaijani Latin

1079

Georgian

1087

Kazakh

1090

Turkmen

1091

Uzbek Latin

2092

Azerbaijani Cyrillic

2115

Uzbek Cyrillic

 

Table 1. System languages avoided by BlackByte ransomware

These languages are specifically avoided by BlackByte to prevent encrypting files on systems that are located in Commonwealth of Independent States (CIS) countries. This likely indicates that the threat actors behind BlackByte are located in Eastern Europe and/or Russia. This is designed to reduce the threat that local law enforcement in those regions will pursue criminal prosecution against those responsible for BlackByte.

 

Enable Long Paths

The malware executes the following command to avoid issues that may occur when encrypting files with long path names:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f

 

Disable Controlled Folder Access

BlackByte executes the following command to disable controlled folder access:

Set-MpPreference -EnableControlledFolderAccess Disabled

The Windows controlled folder access feature is designed to protect data from malicious applications such as ransomware. When enabled, files located in the specified protected folders can not be modified by unauthorized applications.

 

Delete Shadow Copies

Similar to other ransomware families, BlackByte deletes shadow copies to prevent a victim from easily recovering files from backups. There are two methods that BlackByte uses to delete shadow copies. The first executes the following PowerShell command:

$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+
'AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA'+
'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x


The Base64 encoding string when decoded is the following: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

BlackByte also executes the commands to delete shadow copies for each drive:

C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>: /on=<unit>: /maxsize=401MB
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>: /on=<unit>: /maxsize=unbounded

 

Process Termination and Stop / Start Services

The following commands are executed by BlackByte to stop services that may hinder file encryption:

C:\WINDOWS\system32\sc.exe config SQLTELEMETRY start= disabled
C:\WINDOWS\system32\sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
C:\WINDOWS\system32\sc.exe config SQLWriter start= disabled
C:\WINDOWS\system32\sc.exe config SstpSvc start= disabled
C:\WINDOWS\system32\sc.exe config MBAMService start= disabled
C:\WINDOWS\system32\sc.exe config wuauserv start= disabled

BlackByte will also start the following services:

C:\WINDOWS\system32\sc.exe config Dnscache start= auto
C:\WINDOWS\system32\sc.exe config fdPHost start= auto
C:\WINDOWS\system32\sc.exe config FDResPub start= auto
C:\WINDOWS\system32\sc.exe config SSDPSRV start= auto
C:\WINDOWS\system32\sc.exe config upnphost start= auto
C:\WINDOWS\system32\sc.exe config RemoteRegistry start= auto

BlackByte ransomware terminates the following processes shown in Table 2 at the beginning of the execution:

 

uraniumprocesshackerprocmonpestudioprocmon64
x32dbgx64dbgcffexplorerprocexp64procexp
pslisttcpviewtcpvcondbgviewrammap
rammap64vmmapollydbgautorunsautorunsc
regmonidaqidaq64immunitydebuggerwireshark
dumpcaphookexplorerimportrecpetoolslordpe
sysinspectorproc_analyzersysanalyzersniff_hitwindbg
joeboxcontroljoeboxserverjoeboxserverresourcehackerfiddler
httpdebuggerdumpitrammaprammap64vmmap
agntsvccntaosmgrdbeng50dbsnmpencsvc
excelfirefoxfirefoxconfiginfopathisqlplussvc
mbamtraymsaccessmsftesqlmspubmydesktopqos
mydesktopservicemysqldmysqld-ntmysqld-optNtrtscan
ocautoupdsocommocssdonenoteoracle
outlookPccNTMonpowerpntsqbcoreservicesql
sqlagentsqlbrowsersqlservrsqlwritersteam
synctimetbirdconfigthebatthebat64thunderbird
tmlistenvisiowinwordwordpadxfssvccon
zoolzfilemonnsservicensctrl 

 

Table 2. Process names terminated by BlackByte ransomware

Many of these process names are related to business applications. BlackByte kills these processes to avoid open file handle permission issues when performing file encryption of the victim's files. In addition, the list contains a large number of malware analyst tools that can be used to reverse engineer the functionality of the ransomware.

BlackByte also terminates the following services that are associated with antivirus products, backup software, and business applications including financial software, email clients, and databases as shown below in Table 3.

 

klvssbridge64vapiendpointShMonitorSmcinstSmcService
SntpServicesvcGenericHostswi_TmCCSFtmlisten
TrueKeyTrueKeySchedulerTrueKeyServiceHelperWRSVCMcTaskManager
OracleClientCache80mfefirewbenginemfemmsRESvc
mfevtpsacsvrSAVAdminServiceSAVService

SepMasterService

PDVFSServiceESHASRVSDRSVCFA_SchedulerKAVFS
KAVFSGTkavfsslpklnagentmacmnsvcmasvc
MBAMServiceMBEndpointAgentMcShieldaudioendpointbuilderAntivirus
AVPDCAgentbedbgEhttpSrvMMS
ekrnEPSecurityServiceEPUpdateServicentrtscanEsgShKernel
msexchangeadtopologyAcrSch2SvcMSOLAP$TPSAMAIntel(R) PROSet Monitoring

msexchangeimap4

ARSMunistoresvc_1af40aReportServer$TPSMSOLAP$SYSTEM_BGCW3Svc
MSExchangeSRSReportServer$TPSAMAZoolz 2 ServiceMSOLAP$TPS

aphidmonitorservice

SstpSvcMSExchangeMTAReportServer$SYSTEM_BGCSymantec System RecoveryUI0Detect
MSExchangeSAMSExchangeISReportServerMsDtsServer110POP3Svc
MSExchangeMGMTSMTPSvcMsDtsServerIisAdminMSExchangeES
EraserSvc11710Enterprise Client ServiceMsDtsServer100NetMsmqActivatorstc_raw_agent
VSNAPVSSPDVFSServiceAcrSch2SvcAcronis

CASAD2DWebSvc

CAARCUpdateSvcMcAfeeavpsusDLPAgentServicemfewc
BMR Boot ServiceDefWatchccEvtMgrccSetMgrSavRoam
RTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCS

QBCFMonitorService

YooITzhudongfangyunsServiceveeambackup
sqlmemtasvsssophossvc$
mepocswuauserv   

 

Table 3. Service names terminated by BlackByte ransomware

 

Windows Firewall

BlackByte disables the Windows firewall via the command: 

netsh advfirewall set allprofiles state off

 

Windows Defender

The ransomware executes the following command to delete task manager, resource monitor, and stop the Windows Defender service:

cmd /c del C:\Windows\System32\Taskmgr.exe /f /q & del C:\Windows\System32\resmon.exe /f /q &
powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String
('V'+'wBp'+'A'+'G4AR'+'AB'+'lAG'+'YAZQBuAGQA'));Stop-Service -Name $x;Set-Service -StartupType Disabled 

The Base64 encoded string above decodes to WinDefend.

 

Raccine Anti-Ransomware

BlackByte terminates and uninstalls an anti-ransomware product known as Raccine. The Raccine processes that are terminated are raccine.exe and raccinesettings.exe. To uninstall Raccine, BlackByte deletes the following registry keys and values:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine
  • HKEY_CURRENT_USER\SOFTWARE\Raccine
  • HKEY_LOCAL_MACHINE\SOFTWARE\Raccine

BlackByte then deletes Raccine's scheduled task via the command:

C:\WINDOWS\system32\schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F

 

Privilege Escalation

The ransomware executes the following commands to disable UAC remote restrictions:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

BlackByte sets the EnableLinkedConnections registry value to force symbolic links to be written to link logon sessions as follows:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

In BlackByte v2, an additional privilege escalation method was added that exploits the CMSTPLUA COM interface to bypass UAC. The ShellExec method of the interface ICMLuaUtil can be invoked with arbitrary commands with elevated privileges using the ElevationMoniker Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allows BlackByte v2 to execute the svchost.exe process that it injects into with elevated privileges. This privilege escalation technique has also been utilized by other ransomware groups including REvil and LockBit.

 

Lateral Propagation

BlackByte ransomware performs network enumeration and can propagate across a local network. First it executes the following commands to enable network discovery and file and printer sharing:

C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule "group=\"Network Discovery\"" new enable=Yes
C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule "group=\"File and Printer Sharing\"" new enable=Yes

The following commands are then executed to discover other computers and network file shares:

net view
arp -a

BlackByte loads the Active Directory module RSAT-AD-PowerShell and queries for other computers via the following commands:

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe Install-WindowsFeature -Name \"RSAT-AD-PowerShell\" –IncludeAllSubFeature
powershell -command "Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name"

If the -a flag is passed via the command-line, BlackByte attempts to copy itself to remote computer's public folders via the administrative share \\<remote_computer_name>\c$\Users\Public\<filename.exe>. If that attempt is unsuccessful, BlackByte will default to the path: \\<remote_computer_name>\Users\Public\<filename.exe>. BlackByte uses the Windows task scheduler to execute the ransomware on the remote host using the following command:

C:\Windows\system32\schtasks.exe /Create /S <remote_computername> /TN <taskname> /TR "C:\Users\Public\<filename> -s <passphrase>" /ru SYSTEM /sc onlogon /RL HIGHEST /f

In BlackByte v2, the filename and task name are pseudorandomly generated using a function that produces eight upper and lowercase alphabetic and numeric characters (e.g., BqgDOVYL.exe and KYL8EpE9, respectively). BlackByte v1 uses a hardcoded filename and command-line argument complex.exe -single and the hardcoded task name asd.

After scheduling the task, the remote BlackByte binary is executed using the command:

C:\Windows\system32\schtasks.exe /S <remote_computername> /Run /TN <taskname>

After the task is executed, BlackByte deletes the remote task using the command:

C:\Windows\system32\schtasks.exe /Delete /S <remote_computername> /TN <taskname> /f

BlackByte then deletes the copy of itself on the remote host network share. BlackByte also attempts to access administrative shares A$ through Z$ and the folders shown in Table 4.

 

UsersBackupVeeamConsejohomes
homemediacommonStorage ServerPublic
WebImagesDownloadsBackupData

ActiveBackupForBusiness

BackupsNAS-DCDCBACKUPDirectorFilesshare

 

Table 4. Network shares targeted by BlackByte ransomware

 

Check for Analysis Tools

The malware checks the following DLL modules in memory shown in Table 5 and exits if they are present:

 

DLL FilenameDescription
DBGHELP.DLLWindows DbgHelp Library
SbieDll.dllSandboxie
SxIn.dllQihu 360 Total Security
Sf2.dllAvast Antivirus
snxhk.dllAvast Antivirus
cmdvrt32.dllCOMODO Internet Security

 

Table 5. DLLs Identified by BlackByte ransomware

 

Disable Debugging

BlackByte attempts to prevent debugging tools from monitoring and attaching to various processes by removing the following registry values under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:

  • vssadmin.exe
  • wbadmin.exe
  • bcdedit.exe
  • powershell.exe
  • diskshadow.exe
  • net.exe
  • taskkill.exe
  • wmic.exe
  • fsutil.exe

 

Process Injection

BlackByte v1 injects the ransomware code in an instance of regedit.exe, while BlackByte v2 injects itself into an instance of svchost.exe. After the process is injected with the ransomware code, the file encryption is then performed in the context of the regedit.exe or svchost.exe process. BlackByte then deletes its original binary on disk by executing the command:

C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del <blackbyte_filepath.exe> /F /Q

The ping command is used to delay the file deletion by 10 seconds. The process injection functionality may be able to bypass some security software detections.

 

Unmount Virtual Machine Images

In order to identify virtual machines on the victim's system, BlackByte will execute the command:

powershell Get-VM

If any virtual machine files are located, BlackByte will attempt to unmount the image by executing the following command line:

powershell.exe Dismount-DiskImage -ImagePath <filename.vhd>

 

Backup Volumes

The malware executes mountvol.exe to try to mount additional volumes:

C:\WINDOWS\system32\mountvol.exe A: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe B: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe E: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe F: \\?\Volume{[GUID]}\

This is likely an attempt to mount and encrypt backup volumes to further prevent file recovery after encryption.

 

File Encryption

BlackByte enumerates all physical drives and network shares skipping files that contain the following substrings in Table 6:

 

blackbytentdetect.combootnxtntldrrecycle.bin
bootmgrthumbs.dbntuser.datbootsect.bakautoexec.bat
iconcache.dbbootfont.bin   

 

Table 6. BlackByte ransomware file substring filter list

BlackByte avoids the following extensions shown in Table 7.

 

urlmsiloglogldflock
thememsisyswpxcpl
advmscscrkeyico
dllhtadeskthemepacknomediamsu
rtpmspidxani386
diagcfgbinmodicscom
hlpsplnlscabexe
diagpkgiclocxromprf
themepackmsstylesicnsmpadrv
curdiagcabcmdshs 

 

Table 7. File extensions skipped by BlackByte ransomware

BlackByte will also skip files located in the following directories shown in Table 8.

 

bitdefendertrend microavast softwareintelcommon files
programdatawindowsappsappdatamozillaapplication data
googlewindows.oldsystem volume informationprogram files (x86)boot
tor browserwindowsintelperflogsmsocache

 

Table 8. Directories whitelisted by BlackByte ransomware

BlackByte optimizes encryption speed based on the targeted file size according to the following rules:

 

FilesizeEncryption Algorithm
Size <= 5MBEncrypt the entire file
15MB >= Size > 5MBEncrypt the first 1MB and last 1MB
150MB >= Size > 15MBEncrypt the first 5MB and last 5MB
Size > 150MBEncrypt the first 50MB and last 50MB

 

 

BlackByte renames encrypted files with the extension .blackbyte. The ransomware creates a DefaultIcon registry key under HKEY_CLASSES_ROOT\.blackbyte that points to an icon file, so that every file that is encrypted will show this icon in Windows explorer. In addition, the registry names s1159 and s2359 are set to BLACKBYTE under HKEY_CURRENT_USER\Control Panel\International. These registry values control the time format for AM/PM. As a result, Windows will show BLACKBYTE instead of AM/PM as shown below in Figure 2.

Image

Figure 2. BlackByte AM/PM time format modification

 

This time format modification is performed by executing the commands:

reg add "HKCU\Control Panel\International" /v s1159 /t REG_SZ /d BLACKBYTE /f
reg add "HKCU\Control Panel\International" /v s2359 /t REG_SZ /d BLACKBYTE /f

 

File Encryption Algorithms (Variant 1)

BlackByte v1 must be executed with the command line argument -single followed by a SHA256 hash. This hash is combined with a TOR onion URL (e.g., hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad[.]onion/). The SHA256 hash given as an argument is concatenated to the onion URL to build the URL of the victim ransom portal that is embedded in the ransom note. This URL is substituted in the [LINK] field of the ransom note template.

When BlackByte v1 is executed, the malware tries to connect to a hardcoded URL that hosts a file that is involved in the construction of an AES key that is used to encrypt a victim's files. An example URL used for this purpose was hxxps://185.93.6[.]31/mountain.png. The mechanism used to build the AES key is very similar to the C# variant.

After the content of the file mountain.png is downloaded, BlackByte reads the first 16 bytes of the file into a buffer and 24 bytes at the offset 0x410 of the file into another buffer. These 24 bytes are used as key to create and initialize a NewTripleDESCipher object from the Go Cryptographic API. This object is used to decrypt the first 16 bytes of the file mountain.png. The resulting 16-byte buffer will be used as a PBKDF2 password to derive the AES key that will be used to encrypt the victim's files. The BlackByte PBKDF2 algorithm uses SHA1 as the hashing function and 1,000 iterations to derive the AES key. The password is converted to unicode and the unicode string BLACKBYTE_IS_COOL is used as the salt. The following example Python code can be used to derive the AES key used for file encryption.

 

Image

Figure 3. Python code to decrypt BlackByte v1 files with the file (e.g., mountain.png) downloaded from the C2 server

Victim's files are encrypted with AES using CBC mode. The first 16 bytes of the PBKDF2 derived key are used as AES key, and the same 16 bytes are used as the initialization vector (IV). The same AES key is used to encrypt all the files on a victim's machine.

The PBKDF2 password is encrypted with a hardcoded 1,024-bit RSA public key and the resulting RSA-encrypted value is encoded with Base64. This Base64 encoded string is substituted in the [KEY] field in the ransom note template. The threat actor can decrypt the PBKDF2 password with their corresponding RSA private key, derive the AES key, and thereafter, decrypt the victim's encrypted files. The following is an example RSA public key that was hardcoded in BlackByte:

 

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUBwECQuQiVGorPYvHrJM11OWV
E1PS8gaBqIAfPaR1rQHUEXu3iX/da/dCtV8Z27/SIA/ZYUNhTyUsX9Snjz8zve90
QAiG1c/BS81WWRax7M7i1rESStVwOaUDAj5w6cz9GwDMGYI+wve9Qyjtw5R6hr5I
qlIEig1Wy1X27vUC2wIDAQAB
-----END PUBLIC KEY-----

 

 

Ransom Note and BlackByte Icon (Variant 1)

The BlackByte ransom note and an image containing an icon file are stored as Base64 encoded strings in the binary. After the encryption of the victim's files, the ransom note is written to a file named BlackByteRestore.txt, and the previously mentioned icon file is written to a file named BB.ico. An example BlackByte v1 ransom note template is shown below in Figure 4. The BlackByte logo uses the extended ASCII characters of the 8-bit code page 437 to create 3-D block letters.

Image

Figure 4. Go-based BlackByte v1 ransom note template

 

File Encryption Algorithms (Variant 2)

The second variant of BlackByte ransomware does not require a network connection to start encryption. In addition, the ransomware's command-line parameters were modified. BlackByte v2 requires two command line parameters:

sample.exe <flags> <passphrase>

The first parameter is a flag (e.g., -a) that controls specific behaviors of the ransomware (e.g., to propagate across a network), while the second parameter is a passphrase (e.g., 54726956) that is verified before file encryption commences. If BlackByte is not provided with any command-line arguments, the ransomware prints out the phrase BlackByte ransomware, 8-th generation, the most destructive of all ransomware products, real natural disaster. and exits.

BlackByte v2 removed the RSA and AES file encryption algorithms from the ransomware. The encryption algorithms were replaced with Curve25519 elliptic curve cryptography for asymmetric encryption and ChaCha for symmetric algorithm. The Curve25519 functions are statically compiled within BlackByte using Go library code. BlackByte generates a random 32-byte buffer per file using the Windows API function RtlGenRandom(). This random value is used as a file's secret key. The file's public key is calculated as follows:

file_public_key = Curve25519(file_secret_key, base_point = 0x9)

The threat actor's Curve25519 public key is hardcoded in the binary and stored as a Base64 encoded string. For the sample with the SHA256 hash ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa, the hardcoded Curve25519 public key was the string:

2BSTzcpdqRW/a2DRT3TiL9lN5INRmmn1lCQWzZhkfQs= (d81493cdca5da915bf6b60d14f74e22fd94de483519a69f5942416cd98647d0b)

The shared secret is derived as follows:

shared_secret = Curve25519(file_secret_key, blackbyte_public_key)

The shared secret is hashed with SHA256 to derive a 32-byte ChaCha encryption key. The ChaCha encryption key is then hashed again with SHA256 to derive the ChaCha nonce (using 12 bytes starting at offset 10). Once the ChaCha key parameters have been derived, they will be used to encrypt the file's content. The encrypted data is written to the file (overwriting the original content). Finally, the victim's 32-byte public key is concatenated to the encrypted content of the file. The BlackByte v2 encryption algorithm is shown below in Figure 5.

Image

Figure 5. BlackByte v2 file encryption algorithm

The threat actor can use the file's public key together with the threat actor's secret key to recover the shared secret and use it to decrypt the encrypted data as follows:

shared_secret = Curve25519(blackbyte_secret_key, file_public_key)

The following Python code in Figure 6 can be used to decrypt BlackByte encrypted data from a file that has been encrypted if the threat actor's private key is obtained:

Image

Figure 6. Python code to decrypt BlackByte v2 files with the threat actor's private key

BlackByte v2 also encrypts the filename after encryption. The encryption is a simple XOR layer with a hardcoded key, followed by Base64 encoding as shown in Figure 7.

Filename Encryption

Figure 7. BlackByte v2 filename encryption

In the analyzed sample, the XOR key was fuckyou123. After a filename has been encrypted, the file is renamed and the .blackbyte extension is concatenated.

ThreatLabz has implemented proof-of-concept file decryption code for both BlackByte v1 and v2 here.

 

Ransom Note and BlackByte Icon (Variant 2)

BlackByte v2 introduced some improvements to storing the ransom note and icon file. The Base64 encoded blocks for the ransom note and icon file added an XOR-based encryption layer. The XOR key to decrypt the ransom note and icon file is embedded in the ransomware as an obfuscated string. The icon file is written to the victim's %APPDATA% directory using a randomly generated filename consisting of six upper and lowercase alphabetic and numeric characters (e.g., i2uOJh.ico).

BlackByte v2 contains a hardcoded TOR onion URL and path for the victim portal rather than relying on the command-line for the path value. BlackByte v2 also added a hardcoded password that is required to access the victim ransom portal. An example password is:

gkaW_#DD[Aw_JTB@luXpJBdye6eLr@{bx5pHFA)T5FpMYJC]f|@

The BlackByte v2 ransom note template is shown below in Figure 8. The [LINK] substring in the ransom note is replaced with the hardcoded BlackByte victim URL and the [PASSW] substring is replaced with the victim-specific password for the ransom portal.

 

Image

Figure 8. BlackByte v2 ransom note template

 

An example ransom note when populated after file encryption has been performed for BlackByte v2 is shown in Figure 9.

V2 Ransom Note

Figure 9. BlackByte v2 ransom note

A copy of the BlackByte v2 ransom note can be found in the ThreatLabz GitHub repository. After BlackByte encrypts files, the ransom note is written to each directory, the encrypted files are renamed, and their icons are replaced by the BlackByte icon.

 

Ransom Portal and Leak Site

When a victim accesses the link in the ransom portal, they are instructed to enter the access key from the ransom note as shown in Figure 10.

V2 Negotiation Channel

Figure 10. BlackByte victim ransom portal

After a victim authenticates, they are provided the ransom demand and instructions how to purchase Bitcoin. There is also a live chat feature as shown in Figure 11.

Image

Figure 11. BlackByte ransom negotiation portal

Victims are further pressured to pay the ransom, or risk having their data publicly leaked on their TOR hidden service as shown in Figure 12.

Image

Figure 12. BlackByte victim leak site

 

Print Bombing

In addition to dropping a ransom note on the victim's machine, the ransomware sends a message to be printed by any connected printers. The printed ransom message is an RTF file with the content shown below:

 

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 10.0.19041}\viewkind4\uc1 
\pard\sa200\sl276\slmult1\qc\f0\fs56\lang9 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par

\pard\sa200\sl276\slmult1\par
}

 

In BlackByte v1, the message is written to the file C:\Users\tree.dll and the following command is executed to print it:

C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1 ,75) do start wordpad.exe /p C:\\Users\\tree.dll

In addition, a task named Task is created to print the message every hour:

C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn Task /tr "C:\Windows\System32\cmd.exe 
/c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll" /st 07:00

In BlackByte v2, the text of the message is written to a file with a random name consisting of six upper and lowercase alphabetic and numeric characters. The task name is also created randomly consisting of eight upper and lowercase alphabetic and numeric characters. An example task command to print the ransom message is shown below:

C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn 4y77VPNo /tr "C:\Windows\System32\cmd.exe 
/c for /l %x in (1,1,75) do start %SystemDrive%\Program Files\Windows NT\Accessories\WordPad.exe /p 
C:\Users\1HoWkK.dll" /st 07:00

 

Anti-Analysis / Anti-Forensics Techniques

String Obfuscation

Both Go-based BlackByte variants encrypt most strings using a tool similar to AdvObfuscator. Each string is decrypted using a unique algorithm with polymorphic code that implements different operations xor, addition, subtraction, etc. In the examples below, the encrypted strings in Figure 13 are built and decrypted from arguments on the stack.

Image

Figure 13. BlackByte string obfuscation examples

 

Modified UPX Packer

In addition to string obfuscation, BlackByte samples are typically packed with UPX. In BlackByte v1, all of the samples observed by ThreatLabz were packed with the standard UPX packer and could be unpacked via the command-line parameter -d. The early samples of BlackByte v2 were also packed with the standard UPX packer. However, the most recent BlackByte samples (since March 2022) are packed with a modified version of UPX. The names of the sections have been renamed from UPX0 and UPX1 to BB0 and BB1, respectively. Figure 14 shows an example BlackByte v2 sample with the modified UPX headers.

Altered UPX Header

Figure 14. BlackByte v2 altered UPX header

Antivirus Detection

Due to BlackByte's anti-analysis features, polymorphic code, and heavy obfuscation many antivirus products have very low detection rates. For example, the BlackByte sample with the SHA256 534f5fbb7669803812781e43c30083e9197d03f97f0d860ae7d9a59c0484ace4 has an antivirus detection rate of 4/61 at the time of publication.

 

Conclusion

BlackByte is a full-featured ransomware family operated by a threat group that continues to breach organizations and demand large ransom amounts. The threat group also performs double extortion attacks by stealing an organization's files and leaking them online if the ransom is not paid. The ransomware code itself is regularly updated to fix bugs, bypass security software, and hinder malware analysis. The encryption algorithms have also been improved to be more secure and prevent file recovery. This demonstrates that the threat group will likely continue to improve the ransomware and remain a significant threat to organizations.

 

Cloud Sandbox Detection

Cloud Sandbox Detection

 

Zscaler's multilayered cloud security platform detects indicators at various levels, as shown below:

 

Indicators of Compromise

 

IoC Type Value 
BlackByte v1 Packed Sample 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
BlackByte v1 Packed Sample388163c9ec1458c779849db891e17efb16a941ca598c4c3ac3a50a77086beb69
BlackByte v1 Unpacked Sample44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550
BlackByte v1 Unpacked Sample6f36a4a1364cfb063a0463d9e1287248700ccf1e0d8e280e034b02cf3db3c442
BlackByte v2 Packed Sampleffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa
BlackByte v2 Packed Sample9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe
BlackByte v2 Packed Samplee434ec347a8ea1f0712561bccf0153468a943e16d2cd792fbc72720bd0a8002e
BlackByte v1 Onion URLhxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad.]onion
BlackByte v2 Onion URLhxxp://fyk4jl7jk6viteakzzrxntgzecnz4v6wxaefmbmtmcnscsl3tnwix6yd.]onion
BlackByte v2 Onion URLhxxp://p5quu5ujzzswxv4nxyuhgg3fjj2vy2a3zmtcowalkip2temdfadanlyd.]onion
BlackByte v1 AES Key Seed URL hxxps://185.93.6[.]31/mountain.png

 

 

References

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.