BlackByte ransomware using custom data exfiltration tool

An emerging ransomware crew may be about to make a leap into the upper echelons of the cybercrime ranks, according to new research.

Researchers with Symantec's Threat Hunter Team say the BlackByte ransomware group appears to have hit a key milestone in its growth with the development of custom-built malware components.

The Threat Hunter Team obtained samples from an affiliate that showed a custom exfiltration tool in use during its attacks; BlackByte uses a ransomware-as-a-service (RaaS) model where sell their ransomware code to hackers known as affiliates. Known as Exbyte, the exfiltration tool is able to upload harvested data to Mega's cloud storage service and contains components to spot and evade malware detection and analysis tools.

"In terms of technical sophistication, it is somewhat more advanced than similar tools we have seen in the past," Dick O'Brien, principal intelligence analyst for Symantec's Threat Hunter Team, told TechTarget Editorial.

"For a start, it is written in Go and it is also stealthier in terms of the lengths it goes to prevent it being run in a sandbox and analyzed," he said. "It also creates a new upload folder for each victim, which makes it easier from the attackers' perspective to identify and manage stolen data."

While the use of the custom exfiltration tool is noteworthy, the researchers say what is of greater importance is what the release of Exbyte signifies. In using custom malware components, BlackByte puts itself in the company of some of the largest ransomware operations in the world.

The fear is that by developing the capability to get its own custom malware, BlackByte is in fact poising itself for a massive uptick in attacks as it attempts to make a name for itself with the major players in ransomware affiliate circles.

"The fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats," Symantec's Threat Hunter Team said in the report.

O'Brien said that sort of push could take some time, as BlackByte only arrived on the scene in February, though the group is well on its way.

"To reach the scale of Conti or LockBit, they need to attract a lot of affiliates," O'Brien explained.

"There are many factors that determine that scale, including the effectiveness of the payload -- how long it takes to encrypt files and how difficult it is to detect -- and the infrastructure around the ransomware such attacker control panels, data leak sites and so on."

BlackByte ransomware was first observed in 2021 in attacks that exploited the ProxyShell vulnerabilities in Microsoft Exchange Server. Earlier this month, Sophos researchers discovered the RaaS group was using a vulnerable driver in an overclocking tool to bypass extended detection and response products.

The emergence of a large operator like BlackByte would also be bad news for any sort of lingering decline in ransomware activities. Earlier this month, security vendor Cyberint reported that overall ransomware volumes were down, with LockBit 3.0 accounting for more than one third of all attacks.

The same report noted, however, that several new malware families had emerged and were likely to eventually make up for the void left by the departure of Conti and other prominent RaaS groups.