BlackByte Ransomware Targets VMware ESXi Vulnerability in Recent Attack Surge

The BlackByte Ransomware group is reportedly exploiting a recently patched security vulnerability affecting VMware ESXi hypervisors and using various vulnerable drivers to bypass security measures.

According to a technical report shared with The Hacker News by Cisco Talos, “The BlackByte ransomware group continues to use tactics, techniques, and procedures (TTPs) that have been central to its operations since its inception. It persistently iterates its use of vulnerable drivers to circumvent security defenses and deploys a self-propagating, wormable ransomware encryptor.”

The exploitation of CVE-2024-37085, an authentication bypass flaw in VMware ESXi that other ransomware groups have also weaponized, indicates a shift in the e-crime group’s tactics.

BlackByte emerged in the latter half of 2021 and is thought to be one of the ransomware variants that surfaced before the shutdown of the notorious Conti ransomware group.

This ransomware-as-a-service (RaaS) group has a track record of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server for initial access while avoiding systems with certain Eastern European and Russian languages.

The BlackByte ransomware group employs double extortion tactics, using a name-and-shame strategy through a data leak site on the dark web to coerce victims into paying. Multiple variants of this ransomware, written in C, .NET, and Go, have been seen in the wild.

Although Trustwave released a decryptor for BlackByte in October 2021, the group has continued to evolve its methods, including the use of a custom tool called ExByte for data exfiltration before starting encryption.

In early 2022, a U.S. government advisory linked the RaaS group to financially motivated attacks on critical infrastructure sectors, such as financial institutions, food and agriculture, and government facilities.

A key aspect of their attacks is the use of vulnerable drivers to disable security processes and bypass controls, a method known as bring your own vulnerable driver (BYOVD).

Cisco Talos, which investigated a recent BlackByte ransomware incident, reported that the breach was likely facilitated using valid credentials to access the victim’s VPN. Initial access is believed to have been achieved through a brute-force attack.

Using the victim’s VPN for remote access also provides the adversary with additional benefits, such as decreased visibility from the organization’s EDR. Given BlackByte’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access might indicate a minor change in technique or could be a case of opportunism,” said security researchers James Nutland, Brennan Evans Terryn Valikodath, and Craig Jackson,.

Leave a Comment

Your email address will not be published. Required fields are marked *