BlackByte Ransomware Has Had an Impact on the Critical Infrastructure of US, the FBI Announces
At Least Three Organizations Were Compromised.
The FBI has recently announced a breach impacting several organizations belonging to US critical infrastructure sectors caused by the BlackByte ransomware. The breach has been extended over the last three months and at least 3 organizations were impacted.
BlackByte Ransomware Targeting US Organizations
The US Federal Bureau of Investigation released a TLP:WHITE joint advisory on Friday in collaboration with the US Secret Service where details about BlackByte ransomware and its impact were provided.
This joint Cybersecurity Advisory was developed by the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) to provide information on BlackByte ransomware. As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.
In the advisory, there were also mentioned IOC (Indicators of Compromise) that would help companies identify and mitigate cyberattacks that employ this type of ransomware. The IOCs indicate ASPX files’ MD5 hashes that were identified on compromised Microsoft Internet Information Services (IIS) servers as well as different commands run by ransomware operators.
Mitigation Measures Recommended by the Two Agencies
The two agencies mentioned above also shared in the advisory some mitigations to block BlackByte ransomware. Among them, we can enumerate:
- regular backups of data are recommended by means of air-gapped storage along with offline password-protected copies;
- network segmentation should be implemented;
- antivirus should be installed and kept updated on all hosts;
- real-time detection should be enabled;
- operating systems should be patched in a timely manner;
- domain controllers, servers, workstations, and active directories should be monitored in order to assess user accounts;
- privileged user accounts should be audited;
- the principle of least privilege should be implemented for these accounts;
- unused remote access/Remote Desktop Protocol (RDP) ports should be disabled;
- hyperlinks from emails should be disabled;
- two-factor authentication should be enabled.
BlackByte Impacting 49ers
We also wrote yesterday about the 49ers, the American football club from San Franciso, being hit by Blacbyte ransomware, as the team announced over the weekend that it is in a process of recovering from a ransomware assault.
The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. (…) Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.
How Can Heimdal™ Help?
Ransomware is the most emergent threat of today’s cybersecurity landscape. Use an efficient Ransomware Encryption Protection tool, to keep malicious encryptions far from your network and remain protected from data loss or data exfiltration.