One of today’s most prominent ransomware variants has become even more deadly with the addition of a new custom tool that stores stolen sensitive data in the cloud.
Cybersecurity researchers from Symantec’s Threat Hunter team have released a new report on BlackByte, stating that at least one ransomware affiliate is using Exbyte to transfer stolen data.
Exbyte is a custom data exfiltration tool built into Go for Windows and once enabled it sends all stolen data to a specific folder on the Mega cloud storage (opens in new tab) maintenance. The folder is password protected, with the credentials being hard-coded in the tool itself. However, before sending the files, the tool checks to see if it’s in a sandbox, making it more difficult for cybersecurity teams to analyze the sample. It also checks if antivirus programs are also running on the compromised endpoint.
To get up
This is a telltale sign that BlackByte is becoming one of the most prominent players in the ransomware world, especially with the decommissioning of Conti and REvil.
“After the departure of some major ransomware operations such as Conti and Sodinokibi [also known as REvil]BlackByte has emerged as one of the ransomware actors to capitalize on this market gap,” the Symantec report reads.
“The fact that actors are now creating custom tools to use in BlackByte attacks suggests that it is on its way to becoming one of the dominant ransomware threats.”
Exbyte is hardly the only custom data exfiltration tool out there. Symantec researchers also said they discovered a similar tool called Exmatter last November. It was primarily used by the BlackMatter ransomware group. It was later acquired by Noberus. Ryuk uses the Ryuk Stealer, while LockBit uses StealBit.
Through: The register (opens in new tab)