"BlackByte Ransomware Gang Believed to Be More Active Than Leak Site Suggests"

BlackByte is a ransomware-as-a-service brand believed to be an off-shoot of Conti.  It was first seen in 2021.  Security researchers at Talos have observed the BlackByte ransomware brand employing new techniques in addition to their standard TTPs.  The researchers found that BlackByte has been considerably more active than previously assumed.  The researchers stated that the group has been significantly more active than would appear from the number of victims published on its data leak site but cannot explain why only 20% to 30% of BlackByte’s victims are posted.  The researchers noted that BlackByte now uses brute-forcing to gain initial access to accounts with a conventional name and a weak password via a VPN interface.  This could represent opportunism or a slight shift in technique since the route offers additional advantages, including reduced visibility from the victim’s EDR.  New to researchers, the encryptor now drops four vulnerable drivers as part of the brand’s standard Bring Your Own Vulnerable Driver (BYOVD) technique.  Earlier versions dropped just two or three.  The researchers noted a progression in programming languages used by BlackByte, from C# to Go and subsequently to C/C++ in the latest version, BlackByteNT. This allows advanced anti-analysis and anti-debugging techniques, a known practice of BlackByte.

SecurityWeek reports: "BlackByte Ransomware Gang Believed to Be More Active Than Leak Site Suggests"