BlackByte Ransomware Exploits VMware ESXi Flaw Launching A New Wave of Cyber Threats
The BlackByte ransomware group is back, and this time, they're exploiting a newly patched vulnerability in VMware ESXi hypervisors, raising alarm across the cybersecurity landscape. The group, notorious for its ransomware-as-a-service (RaaS) model, has leveraged this flaw (CVE-2024-37085) to compromise systems, marking a significant evolution in their attack strategy.
Table of Contents
Exploiting VMware ESXi: A Dangerous Shift
In a recent attack wave, BlackByte was observed exploiting an authentication bypass vulnerability in VMware ESXi, which allows attackers to gain administrator privileges on the hypervisor. This vulnerability, CVE-2024-37085, has been weaponized by various ransomware groups, but BlackByte's use of it signals a dangerous pivot in their tactics. By exploiting this flaw, the threat actors were able to escalate privileges, gain unauthorized access to system logs, and control virtual machines (VMs).
This exploitation of public-facing vulnerabilities for initial access is not new for BlackByte. However, their recent shift to using VPN access, likely obtained through brute-force attacks, highlights their adaptive approach. By leveraging valid credentials to access a victim’s VPN, BlackByte has managed to reduce visibility from the organization's endpoint detection and response (EDR) systems, making their attacks even more stealthy.
The Role of Vulnerable Drivers in Disabling Security
A key component of BlackByte's attack strategy involves the use of vulnerable drivers to disarm security protections, a technique known as "bring your own vulnerable driver" (BYOVD). In their latest attack, BlackByte deployed multiple vulnerable drivers, including RtCore64.sys, DBUtil_2_3.sys, zamguard64.sys, and gdrv.sys, to terminate security processes and bypass controls. This method has proven to be highly effective in evading detection, allowing the ransomware to spread rapidly across networks.
Evolution in Ransomware Techniques
BlackByte's progression from using C# to Go, and now to C/C++, in their ransomware encryptor reflects a deliberate effort to enhance the malware's resilience against detection and analysis. The latest version, BlackByteNT, incorporates advanced anti-analysis and anti-debugging techniques, making it more challenging for cybersecurity professionals to counter the threat.
This adaptability is part of a broader trend among ransomware groups, as highlighted by recent research. The disclosure from Cisco Talos comes alongside findings from Group-IB, which detailed the tactics of other ransomware strains like Brain Cipher and RansomHub. These groups, similar to BlackByte, have evolved their methods, adopting new programming languages and techniques to stay ahead of security measures.
The Ongoing Threat
The professional, scientific, and technical services sectors are among the most exposed to these types of ransomware attacks, with manufacturing and educational services also at significant risk. Despite some efforts to combat BlackByte—such as the release of a decryptor by Trustwave in October 2021—the group has continued to refine its operations, employing custom tools like ExByte for data exfiltration before encryption.
The speed at which BlackByte and other ransomware groups exploit newly disclosed vulnerabilities is a stark reminder of the ever-present threat they pose. As they continue to adapt and refine their techniques, organizations must remain vigilant, ensuring their systems are patched promptly and that security measures are robust enough to counter these evolving attacks.
Final Thoughts
BlackByte's latest attack wave underscores the importance of proactive cybersecurity measures. As ransomware groups like BlackByte continue to evolve, leveraging new vulnerabilities and techniques, organizations must stay ahead of the curve to protect their critical infrastructure. The battle against ransomware is far from over, and staying informed is the first step in safeguarding your digital assets.