Hackers use BlackByte ransomware to abuse legitimate servers and bypass security layers.
The BlackByte ransomware strain is used by malicious actors to abuse legitimate servers through a technique known as “Bring Your Own Driver”.
BlackByte Ransomware used to bypass security layers
BlackByte ransomware has been in use since 2021 and acts as a ransomware organization as a service. These groups offer ransomware products to other malicious actors for a fee. BlackByte is now back in the spotlight after being used in a tactic known as “Bring Your Own Driver”. In this attack, cybercriminals exploit a vulnerability in the Windows RTCore64.sys graphics overclocking utility driver known as CVE-2021-16098.
A Bring Your Own Driver attack involves installing a vulnerable version of the RTCore64.sys driver on the victim’s device. The attacker can then abuse this faulty driver while remaining under the radar of security software.
The new threat was discovered by Sophos, a well-known cybersecurity company. In a Article Sophos Newsit was stated that the CVE-2021-16098 vulnerability “allows an authenticated user to read and write to arbitrary memory, which could be exploited for elevation of privilege, executing code with elevated privileges, or disclosure of information”.
More than 1,000 drivers have been disabled by BlackByte
Threat actors have successfully disabled more than 1,000 drivers used by industry endpoint detection and response (EDR) products. As noted in the aforementioned Security News post, these security products rely on these drivers to provide protection for their clientele.
Specifically, these companies monitor the use of frequently abused API calls, a function that is interrupted via these Bring Your Own Driver attacks.
BlackByte has caused problems in the past
This is not the first time BlackByte has been used in cyberattacks. In early 2022, the FBI issued a warning about a series of BlackByte ransomware attacks via abuse of Microsoft Exchange servers. The series of exploits took place in December 2021, during which attackers hacked corporate networks using three ProxyShell vulnerabilities to install web shells on compromised servers.
Since the attacks, patches have been developed for the ProxyShell vulnerabilities, but that doesn’t seem to have stopped the BlackByte operators from continuing their attacks elsewhere.
Ransomware continues to threaten individuals and businesses
Ransomware has the ability to cause huge losses, be it in data or financial assets. This type of cyberattack is now so popular that it can be purchased through illicit service providers, giving even more malicious actors the opportunity to exploit victims. It’s unclear if BlackByte operators will continue to cause problems in the future, but this Windows attack is another example of the capabilities of ransomware programs.
