At least one affiliate of the high-profile ransomware-as-a-service (RaaS) group BlackByte is using a custom tool to exfiltrate files from a victim’s network, a key step in the fast-growing business of double-extortion.
The exfiltration tool, dubbed Exbyte, is written in Go for Windows computers, and is designed to upload files to the Mega cloud storage service, according to researchers in Symantec’s Threat Hunter Team this month.
Exbyte lets the affiliate speedily grab a victim’s sensitive internal documents and stash them out of sight, yet another indication of BlackByte’s rising status in the always-dynamic ransomware world. A victim’s network is compromised, and the intruders siphon off data using Exbyte and then lock up the network using BlackByte.
“Following the departure of a number of major ransomware operations such as Conti and Sodinokibi [also known as REvil], BlackByte has emerged as one of the ransomware actors to profit from this gap in the market,” the Symantec team wrote in a report. “The fact that actors are now creating custom tools to use in BlackByte attacks suggests that is may be on the way to becoming one of the dominant ransomware threats.”
BlackByte emerged in July 2021 and quickly became a significant group in the RaaS space. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) and FBI in February issued an alert [PDF], noting that the ransomware had been used multiple times to attack US and foreign businesses, including at least three organizations in critical infrastructure sectors – government, financial, and food and agriculture – in the United States.
The BlackByte group also was behind an attack on the San Francisco 49ers football team in February.
Symantec says the BlackByte RaaS operation is run by a crew it calls Hecamede and that in recent months, the ransomware has been…