Fast and dangerous: Microsoft revealed the secret of the BlackByte extortionist gang
It only takes five days for attackers to turn the victim organization’s routine upside down.
Recently a division of the corporation Microsoft entitled Microsoft Threat Intelligence investigated BlackByte 2.0 ransomware attacks and showed how fast and devastating the cyberattacks of internet villains can be.
According to experts, hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They do not lose a second of useful time: they quickly penetrate systems, methodically and clearly encrypt important data, and then demand a ransom for their restoration.
Such a short timeline for attacks is a big challenge for organizations that are desperate to protect themselves from the malicious influence of attackers.
BlackByte hackers use a powerful combination of tools and techniques to carry out their attacks. The study showed that they successfully exploit the vulnerabilities of unpatched servers Exchange. This is how cybercriminals gain stable initial access to targeted networks and then set the stage for subsequent malicious activities.
Ransomware also uses process hijacking and antivirus bypass techniques to ensure successful encryption and evade detection. In addition, advanced web shells provide hackers with remote access and control, allowing them to remain on infected systems for a long time and without being noticed.
The Microsoft report also noted the use of the framework Cobalt Strikewhich facilitates C2-operations on compromised systems, as well as the use of a completely legitimate remote access tool called AnyDesk. The combination of these tools gives attackers a wide range of options, making it difficult for organizations to defend themselves.
In addition to these tactics, the researchers have identified several other disturbing practices that cybercriminals use. They often use LotL-attacks to masquerade as legitimate processes and avoid detection.
In addition, the attackers change the data backup settings on infected machines and delete any backups to prevent data recovery. And specially crafted backdoors provide rogues with continued access after the initial compromise.
The alarming rise in BlackByte attacks calls for immediate action from organizations around the world, which is why Microsoft has provided some practical advice.
First of all, experts call for restricting administrator rights for corporate employees, implementing reliable update management procedures, ensuring that critical security patches are applied in a timely manner. Then it is worth implementing a reliable EDR solution and high-quality antivirus programs. Enable Anti-counterfeit protection Windows – also will not be superfluous.
Besides, in his report experts provided indicators of compromise (IoC), including IP addresses, which are used by attackers in their attacks. By blocking all incoming traffic from these addresses, as well as access from public VPN-services and unauthorized exit nodes Torthe company can significantly increase its security and not be afraid of hacker attacks.
However, the most important thing that can save you from a cyber attack is banal vigilance and awareness. If a company employee knows about all possible compromise scenarios, he will think twice before running a dubious file received from his “colleague” by e-mail, and will consult with the security department more often about certain actions.