The FBI and US Secret Service today released a joint cybersecurity advisory on pervasive ransomware-as-a-service group BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors — government facilities, financial, and food and agriculture — as well as others outside the US.
BlackByte is known for encrypting victim files on Windows systems and virtual machines, and according to the FBI and USSS, the attackers exploited "a known Microsoft Exchange Server" vulnerability in some victim systems.
"In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur," according to the advisory, which includes specific mitigation methods for the ransomware. "A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows\. Process injection has been observed on processes it creates."