BlackByte ransomware gang returns with new multitier ransom strategy

A ransomware gang with links to the Conti group has returned with a new campaign similar to the better-known LockBit gang.

BlackByte version 2.0 ransomware gang, as the group calls itself, is promoting a new leaks site and claims to have successfully targeted new victims. Bleeping Computer reported Wednesday that those behind the ransomware are also promoting their activities on Twitter Inc., including auctions for stolen data.

BlackByte’s leak site currently had only one victim listed, however. In a twist on traditional ransomware groups, BlackByte is using a multitier ransom and publication strategy. Victims are being given the opportunity to pay to delay the publishing of their data by 24 hours for $5,000, can download the data for $200,000, or destroy all the data for $300,000. As with any ransomware gang, paying any sum demanded comes with zero guarantees that those behind the attack will deliver on their promises.

A form of ransomware used by BlackByte previously was found to have a worm capability similar to the Conti ransomware group’s predecessor Ryuk ransomware and also undertakes similar techniques. Previous BlackByte victims include the San Francisco 49ers American football team in February.

“We should view BlackByte less as an individual static actor and more as a brand which can have a new marketing campaign tied to it at any time,” Oliver Tavakoli, chief technology officer at artificial intelligence cybersecurity company Vectra AI Inc., told SiliconANGLE. “The payment to delay the publishing of data is an interesting business innovation. It allows smaller payment to be collected from victims who are almost certain they won’t pay the ransom, but want to hedge for a day or two as they investigate the extent of the breach.”

Nicole Hoffman, senior cyber threat intelligence analyst at digital risk solutions provider Digital Shadows Ltd., said it’s not surprising that BlackByte has similarities to LockBit, such as pay-to-delay, download or destroy extortion models. LockBit 2.0 emerged with an attack on Accenture PLC in August 2021.

“It is realistically possible that BlackByte is trying to gain a competitive advantage or even trying to gain…