The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) released a joint Cybersecurity Advisory in regards to the recent activities of the BlackByte Ransomware-as-a-Service (RaaS) gang. BlackByte ransomware has been used against a variety of businesses in the US.
Although the techniques BlackByte uses may not be sophisticated, it doesn’t mean they aren’t impactful. BlackByte has returned with a vengeance and it is important for businesses to be aware of the impact of BlackByte and to take measures to protect themselves in the event of becoming the RaaS’s gang next victim.
After the joint advisory was released, I reached out to tech experts to get a deeper understanding of BlackByte ransomware and the gang’s impact on critical infrastructures. Let’s take a look at what they shared:
Anthony Buonaspina, BSEE, BSCS, CPACC | CEO and Founder, LI Tech Advisors
“The San Francisco 49ers were attacked by a BlackByte ransomware attack. These types of attacks could be catastrophic, especially if a team had a chance to reach the Super Bowl. This might have been avoided if the 49ers had a strong defensive line in regards to cybersecurity.
NFL teams need to protect themselves against cybercrimes and make sure that they can quickly recover if attacked. These five steps should be taken to ensure that an organization is doing everything it can to prepare and recover from a cyber-attack.”
- Train your employees – One of the weakest security points are your employees. Ongoing training is very important to maintain a heightened level of awareness of cyber threats. Purchase a cyber security training service that will automatically send out fake phishing attempts to test your employees and train them if they fail.
- Secure your hardware – make sure you are using the latest security patches and complicated passwords are being implemented.
- Use 2-factor authentication where possible. Also, make sure that you turn on BitLocker device encryption for all your Windows 10 devices and enable remote wipe any mobile devices that might be lost or stolen in order to protect the data it has access to.
- Encrypt and Backup data – you need to make sure you prevent physical access to sensitive data and also render it useless if it falls into the wrong hands. Data encryption is the best “quick fix” for data breaches. If a data breach should occur, the data would be inaccessible.
- Perform a network security scan – you should periodically run a network security scan of your network to see what devices are attached and where security holes may reside.
- Invest in cyber insurance – consider this business continuity insurance in the event that any of the security measures you have taken fail. If you fall prey to a ransomware attack, cyber insurance will help you recover by offering financial support to quickly remediate the issue.
Ilan Sredni | CEO & President | Palindrome Consulting
“BlackByte has been active since the summer of 2021, it is not that new. The ransomware RaaS is known for hacking corporate networks. RaaS (Ransomware as a Service) means that they offer this service to 3rd parties and they are not necessarily the ones trying to hack and collect.”
- Backup your data and regularly test them. Keep the backups in an airgap, away from your regular network.
- Update and patch systems and make sure all systems are reporting back to the updating tool, especially when security updates for operating systems and applications are available.
- Create or test the incident response plan: Do a dry run through the plan to identify gaps and assignments to members that may no longer be there.
- Employee education: The weakest part of most networks will be the employee who is least trained and clicks on the wrong link.
We have gathered a lot of experience in addressing ransomware protection and response, unfortunately. I would encourage everyone to follow the checklist.
Jon Fausz | Director of Operations | 4BIS.COM
“BlackByte is a Ransomware as a Service group. What that means is they provide a tailored business process for people who want to use them to attack companies. In simple terms. Bad guys without the hacking knowledge pay BlackByte to hack businesses. Think of it like a hitman but for hacking.
Most of the hacking in 2022 exists because of money. These hacking organizations are run like big businesses, and they have a product to sell. That product is normally company data. In BlackByte’s case, they are selling their hacking knowledge to less talented individuals. This makes these firms very dangerous. They can specialize and hone their skills because they are not compensated for the data that they steal but from prepaid customers.
Big business hacking will only go away when organizations fight back, launch an effective defense, and refuse to pay the ransom. This will continue until it is not financially viable for hackers to continue attacking businesses.
Every business needs to have an effective Cyber Security plan. This plan needs to be multifaceted, varied, and adaptive. Following a guideline such as the NIST Cyber Security Framework can provide a basis for your Cyber strategy. The framework consists of a series of US Government recommendations to use as a foundation for your Cyber Security Policies. It is broken into 5 groups. Identify, Protect, Detect, Respond, and Recover. Using those groups, you can tailor a Cyber Security program to combat these threats.
Cybersecurity in the modern world is always evolving. I recommend working with a trusted partner to help and verify your methodology.”
Thomas Andersen | Information Security Architect | BACS Consulting Group, Inc.
“Blackbyte is a hacking group that has developed a form of Ransomware-as-a-Service product. This sort of arrangement has become more popular recently, although it has been a business model that has existed since at least 2015.
RaaS operates like this: a group like BlackByte produces a white-labeled RaaS product that they then turn around and sell to affiliates who are involved in organized crime. The affiliates do not need to be very tech-savvy; they just need to make an arrangement with the developer to share in the profits. Russian organized crime syndicates have been known to use RaaS providers as an easier path to entry into the cybercrime world.
A group operating in a similar way to Blackbyte was REvil, recently taken down by Russian authorities (same MO). Selling access to malware delivery. Sometimes, RaaS operators even employ a customer service department. In the case of Blackbyte, it has been speculated that the vector for entry in at least some of the cases has been unpatched on-premise exchange servers. In that case, the prevention/mitigation would have been pretty straightforward – patch your servers!”
In general, some good preventative measures any organization could take to pre-emptively decrease the surface:
- Regular internal vulnerability scans and mitigation of findings
- Regular external penetration testing to determine possible vectors of attack
- Implement backups of all files and air-gap the storage of backups so they cannot become exposed in a breach
- Implement network segmentation
- Implement malware, phish, and spam filtering
- Implement UTM services in firewalls and all egress points to the network
- Implement DNS Protection
- Install and update endpoint protection and patching of all endpoints and servers
- Regularly audit privilege levels for least necessary security access for users to do their job
- Conduct security awareness trainings
“CISA and the FBI often work hand in hand to notify the broader public about active persistent threats that are present in the wild and becoming a bigger threat to the general public and business community. The world of cybersecurity is still sort of like the Wild West. At least in the United States, businesses are on their own to do their due diligence in mitigating and preventing attacks. In the future, I would like to see the US Government take more of an active role in providing some baseline level of security; however, that has really not come to pass for the security world, more broadly.”
