"BlackByte Ransomware Uses New Data Theft Tool for Double-Extortion"

A BlackByte ransomware affiliate is quickly stealing data from compromised Windows devices using a new custom data-stealing tool called 'ExByte.' One of the most important functions in double-extortion attacks is data exfiltration. Ransomware operations such as ALPHV and LockBit are constantly working to improve their data theft tools. Other threat actors, such as Karakurt, do not bother encrypting local copies, instead focusing solely on data exfiltration. Symantec security researchers discovered ExByte, finding that threat actors use the Go-based exfiltration tool to upload stolen files directly to the Mega cloud storage service. When the tool is run, it performs anti-analysis checks to see if it is running in a sandboxed environment, as well as checks for debuggers and anti-virus processes. These tests are also implemented in the BlackByte ransomware binary, but the exfiltration tool must run them independently because data exfiltration occurs before file encryption. ExByte enumerates all document files on the compromised system and uploads them to a newly created folder on Mega using hardcoded account credentials if the tests pass. This article continues to discuss BlackByte and its new ExByte data theft tool for double-extortion. 

Bleeping Computer reports "BlackByte Ransomware Uses New Data Theft Tool for Double-Extortion"