Free Decryptor Released for Ransomware Strain


But attackers in name and shame are likely retooling after spotting encryption issues

Mathew J. Schwartz (euroinfosec) •
October 15, 2021

BlackByte ransom note with victim key highlighted (Source: Trustwave)

A free decryptor for the BlackByte ransomware has been released by security researchers who deciphered the crypto-lock malware encryption.

See also: Live Webinar | A buying guide: what to consider when evaluating a CASB

Trustwave, a Chicago-based cybersecurity and managed security service provider owned by Singaporean telecommunications company Singtel Group Enterprise, announced on Friday the release of the free decryptor, available for download on GitHub.

The company says it obtained the malware sample it analyzed as part of a digital forensics and incident response engagement. The company declined to share details about the victim, such as the industry or geographies in which they operate, and said it was also not clear how the victim was initially infected.

Unfortunately, the underlying encryption problem in BlackByte is probably already being addressed by the malware developer, says Karl Sigler, senior security research manager, Trustwave SpiderLabs.

“Information security has always been and always will be a cat-and-mouse game between good guys and malicious attackers,” he told Information Security Media Group. “In this specific case, however, it appears that the actors behind BlackByte realized the weakness of their encryption mechanism and already took the key offline even before our analysis or decryptor was released. Most likely, they realized. the flaw and seek to retool and reissue. ”

Weak encryption in malware

But the flaw means anyone affected by a version of the malware that contains weak encryption should be able to decrypt their files for free.

“Based on the encryption key being taken offline, this specific version is probably dead for all intents and purposes,” Sigler said. “We are actively monitoring to see if the ransomware family is revised or resurrected for a new campaign. Attackers typically re-equip their ransomware weapons instead of creating brand new ones.”

Trustwave claims to have made no attempt to contact any alleged victims of BlackByte.

“We have not contacted any of the alleged victims, and have no idea who may have been affected by this ransomware beyond the organization that engaged with our digital forensics and incident response team. to further investigate the ransomware, ”Sigler said. . “Our hope is that by publicly releasing a detailed analysis of the ransomware and the decryption tool, we can help organizations, law enforcement and other security companies understand and deal with the threat. even the necessary precautions and actions. “

BlackByte: not a major player

Most ransomware developers today run ransomware as a service operations, in which they recruit affiliates to infect victims with their malware and then promise to share the profits whenever a victim pays.

Security experts say the largest and most advanced ransomware operations, which often hunt big games – that is, targeting large organizations looking for bigger ransoms – include BlackMatter, formerly known as DarkSide; Conti; LockBit; and REvil, aka Sodinokibi; and Ryuk. BlackByte, however, doesn’t appear to be a major player, at least for now.

Based on 137,537 submissions to Emsisoft and the free ID Ransomware site, and excluding Stop / Djvu ransomware (Source: Emsisoft)

In an attempt to force victims to pay, many ransomware operations run dedicated data breach sites, accessible only through the anonymous Tor network. As of October 4, for example, Israeli threat intelligence firm Kela claims that these 12 ransomware groups have listed new victims on their data breach sites: AtomSilo, Avos, BlackByte, BlackMatter, Conti, Grief, Hive. , LockBit, Pysa, REvil / Sodinokibi, Spook, Vice Society and Xing. However, many other ransomware operations including Ryuk do not run data leak sites.

New BlackByte victims listed

BlackByte seems to have recently redesigned its data leak site. Previously, the site listed victims and a link to download samples of stolen files, “but the ransomware itself has no exfiltration functionality,” Trustwave notes in a technical analysis. “Is it probably just to scare their victims?”

The latest victims published on the BlackByte site, appearing on Friday and Thursday, respectively, were an American fire alarm system and sprinkler installation company, as well as a United States manufacturer of disposable infection control products for the healthcare industry. health.

Victims’ countdowns on Friday showed 28 days and 27 days, respectively, to pay an unspecified ransom amount. For both, a “free download” link led to the anonymous file download service Anonfile, which hosted a file each, less than 5MB, containing allegedly stolen data.

It’s not clear when the alleged victims were hit with ransomware, and whether it could have been with a new version that fixed the encryption flaws spotted by Trustwave – and potentially others.

In terms of timing, attackers will usually use their data breach site to try to name and shame victims for paying, days or weeks after a victim has pushed back their initial claims.

But it’s not clear whether any of the allegedly stolen information is sensitive or was obtained by attackers through advanced hacking techniques.

“The exfiltrated files seemed to be a bluff to the Trustwave researchers, as BlackByte has no exfiltration functionality,” says Sigler. If so, it wouldn’t be the first time attackers using ransomware have lied about the theft of sensitive data.

“If the actors somehow got their hands on victim files, it was through another channel or potentially seized during the initial compromise as a separate task,” he said. .

Technical analysis

According to the technical analysis of the version of BlackByte obtained by Trustwave, the malware is delivered to a system using a JavaScript launcher file.

The file is part of a process designed to decode and launch malicious payload, which is a .NET DLL file designed to evade Microsoft’s malware scanning interface and prepare a system for most of its files to be. encrypted by force. Trustwave says the malware can also adjust registry settings to elevate privileges, identify other systems through Active Directory, and mount external drives.

For this worm-like capability, “this malware does not require administrator-level access to Active Directory,” says Sigler. “Instead, it uses a common ‘pass the hash’ technique using the LocalAccountTokenFilterPolicy registry key to access the local administrator. It then uses that high local access for network and share enumeration.”

For systems identified through Active Directory, the malware can send a “magic packet” that executes a wake-on-LAN command, which wakes up offline devices so that they can be encrypted.

BlackByte JavaScript execution flow (Source: Trustwave)

Like many other types of ransomware, however, Trustwave says that BlackByte first checks a system’s default language to see if the device appears to be located in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Russia, Tajikistan. , Turkmen, Ukraine or Uzbekistan. If so, the malware quits.

Security experts say most ransomware operators appear to be Russian-speaking and will avoid attacking targets in Russia or any other country within the Soviet Union, in an attempt to avoid law enforcement retaliation local.

For continuing infections, Trustwave reports that the version of BlackByte it scanned would download a supposed PNG image file from an external server, which contains the information needed for the ransomware to generate a key and encrypt the files. “If the ransomware fails to download the key, it will crash and prevent the infected system from encrypting its files,” he says. Otherwise, the ransomware begins enumerating drives for encryption, it says, using an “AES symmetric key algorithm” derived from the PNG image file.

The required PNG file is no longer live, according to Trustwave, which supports its analysis that the developers of BlackByte have likely already spotted weak encryption and are preparing a new version of their ransomware.


Leave A Reply