BlackByte Ransomware Gang Reborn, FBI Gives Tips To Prevent Hacking

JAKARTA - The ransomware gang, BlackByte, seems to be reborn after targeting at least three critical US infrastructure sectors. Therefore, this one gang cannot be underestimated.

BlackByte is a ransomware-as-a-service (RaaS) operation that rents out its ransomware infrastructure to others in exchange for a ransom.

The gang emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims around the world.

In the posted warning, the FBI and Secret Service (USSS) cybersecurity adviser warned that the ransomware gang had endangered many U.S. and foreign businesses, including at least three attacks on critical U.S. infrastructure, such as government facilities, financial services, food and agriculture. .

According to reports from the FBI and the Secret Service, BlackByte had several early successes, such as attacks on the manufacturing, healthcare, and construction industries in the United States (US), Europe, and Australia.

After a few months, the gang had a rough time when cybersecurity firm Trustwave released a decryption tool that allowed BlackByte victims to recover files for free that the ransomware gang had stolen.

Some people believe that the ransomware is the work of an amateur, the ransomware downloads and executes the same key to encrypt files in AES, not a unique key for each session. Despite this setback, it seems that BlackByte's operation is back with a vengeance

As TechCrunch reported, Tuesday, February 15, now cyber advisors from both agencies are focused on providing compromise indicators (IOCs) that organizations can use to detect and defend against BlackByte attacks.

IOCs associated with BlackByte activity include MD5 hashes of suspicious ASPX files found on compromised Microsoft Internet Information Services (IIS) servers and a list of commands that ransomware operators use during attacks.

Both the FBI and USSS share a few tips for avoiding the BlackByte attack below:

Implement regular backups of all data to save as a password-protected offline copy. Make sure this copy cannot be accessed for modification or deletion from any system where the original data resides. Implement network segmentation, so that all machines on your network are not accessible from every other machine. Install and update antivirus software regularly on all hosts, and enable real-time detection. Install operating system, software, and firmware updates or patches as soon as they are released. Review domain controllers, servers, workstations, and Active Directory for new or unknown user accounts. Audit user accounts with administrative privileges and configure access control with the least privileges in mind. Do not grant all users administrative rights. Disable unused remote access ports or Remote Desktop Protocol (RDP) and monitor remote access or RDP logs for unusual activity. Consider adding an e-mail banner to e-mail received from outside your organization. Disable hyperlinks in received emails. Use dual authentication when logging into an account or service. Ensure regular audits are performed for all accounts. Ensure that all identified IOCs are entered into the SIEM network for ongoing monitoring and alerting.