Analysis Summary

The BlackByte ransomware group has been found exploiting a recently patched vulnerability, CVE-2024-37085, in VMware ESXi hypervisors as well as using vulnerable drivers to bypass security protections.

This vulnerability allows attackers to gain administrative privileges on VMware ESXi hypervisors, facilitating control over virtual machines and system configurations. BlackByte's use of this flaw, soon after its disclosure, showcases the group’s agility in incorporating newly discovered vulnerabilities into their tactics to enhance their ransomware attacks. The group’s operations also include leveraging weak drivers to disable security measures—a technique known as Bring Your Own Vulnerable Driver (BYOVD)—and utilizing valid credentials to access organizational VPNs potentially through brute-force attacks.

According to the researchers, since its emergence in 2021, BlackByte has evolved from using C# to more complex programming languages like Go and C/C++ to make its malware more resistant to detection and analysis. The group's ransomware-as-a-service (RaaS) model often employs double extortion tactics, including data theft and a name-and-shame approach on dark web leak sites to pressure victims into paying ransoms. BlackByte has a history of targeting vulnerabilities in public-facing systems such as ProxyShell flaws in Microsoft Exchange Server and it continues to avoid systems that use Russian and some Eastern European languages, aligning with the tactics of several other ransomware groups.

Recent attacks indicate a shift in BlackByte's strategy to use VPNs for remote access, which reduces the visibility of their activities to endpoint detection and response (EDR) systems. Additionally, the group employs a custom tool named ExByte for data exfiltration before deploying their ransomware payload. These attacks often culminate with files being encrypted with the ".blackbytent_h" extension and the deployment of vulnerable drivers to disarm security defenses. This evolving approach underscores BlackByte's commitment to refining its tactics and enhancing its malware's capabilities against various sectors including professional, scientific, technical services, manufacturing, and education.