One of the most prominent ransomware variants around today has become even more deadly with the addition of a new custom tool that stores stolen sensitive data in the cloud.
Cybersecurity researchers from Symantec’s Threat Hunter Team have published a new report on BlackByte, in which it states that at least one ransomware affiliate is using Exbyte to siphon out stolen data.
Exbyte is a custom data exfiltration tool, built in Go for Windows, and once turned on, sends all of the stolen data to a specific folder on the Mega cloud storage (opens in new tab) service. The folder is password-protected, with the credentials being hardcoded into the tool itself. Before sending the files, though, the tool will check to see if it’s in a sandbox, making it harder for cybersecurity teams to analyze the sample. It also checks to see if there are any antivirus tools running on the compromised endpoint as well.
This is a telltale sign of BlackByte becoming one of the most prominent players in the ransomware world, especially with the dismantling of Conti and REvil.
“Following the departure of a number of major ransomware operations such as Conti and Sodinokibi [also known as REvil], BlackByte has emerged as one of the ransomware actors to profit from this gap in the market,” Symantec’s report reads.
“The fact that actors are now creating custom tools to use in BlackByte attacks suggests that is may be on the way to becoming one of the dominant ransomware threats.”
Exbyte is hardly the only custom data exfiltration tool around. Researchers from Symantec also said they detected a similar tool in November last year, called Exmatter. This one was used, first and foremost, by the BlackMatter ransomware group. It was later adopted by Noberus. Ryuk uses the Ryuk Stealer, while LockBit uses StealBit.
Via: The Register (opens in new tab)