OK so let's see what they said
"The US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months.
This was disclosed in a TLP:WHITE joint cybersecurity advisory released Friday in coordination with the US Secret Service.
"As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).," the federal law enforcement agency said [PDF].
"BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers."
The advisory focuses on providing indicators of compromise (IOCs) that organizations can use to detect and defend against BlackByte's attacks.
The IOCs associated with BlackByte activity shared in the advisory include MD5 hashes of suspicious ASPX files discovered on compromised Microsoft Internet Information Services (IIS) servers and a list of commands the ransomware operators used during attacks.
The 49ers ransomware attack
In related news, NFL's San Francisco 49ers team revealed over the weekend that it's recovering from a BlackByte ransomware attack.
The threat actors claimed the attack, saying that they also stole data from the football org's servers during the incident and leaked almost 300MB worth of files on their data leak blog.
The 49ers confirmed the ransomware attack in a statement to BleepingComputer and said it only caused a temporary disruption to portions of its IT network.
BlackByte ransomware operation has been active since at least July 2021, when it started targeting corporate victims worldwide.
This gang is known for exploiting software vulnerabilities (including Microsoft Exchange Server) to gain initial access to their enterprise targets' network, illustrating that keeping your servers updated will most likely block their attacks.
In October, cybersecurity firm Trustwave created and released a free BlackByte decryptor, enabling some victims to restore their files for free after the ransomware gang used the same decryption/encryption key in multiple attacks.
The two agencies also shared a list of measures that can help admins mitigate BlackByte attacks:
- Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus software on all hosts, and enable real time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.
- Ensure routine auditing is conducted for all accounts.
- Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.
Related Articles:
US govt warns of Russian hackers targeting critical infrastructure
CISA warns critical infrastructure to stay vigilant for ongoing threats
FBI warns of fake job postings used to steal money, personal info
FBI warns of malicious QR codes used to steal your money
NFL's San Francisco 49ers hit by Blackbyte ransomware attack
OTHER RELATED CONTENT
Who Is the BlackByte Ransomware Group and How Does the Decryptor Works?
Ransomware attacks impact organizations every single day. But it doesn’t always have to be bad news. Victims of BlackByte ransomware can now decrypt and get back their files as a free decryption tool has just been made public this week.
In this blog post you will find information about the ransomware group BlackByte, which has victims in many countries, and how to use the latest released decryptor.
Who is BlackByte?BlackByte is a ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding this group emerged after victims sought help decrypting their files.
In C#, BlackByte attempts to terminate numerous security, mail server, and database processes to encrypt a device successfully. The BlackByte ransomware group disables Microsoft Defender on target devices before attempting encryption.
According to the information reported so far, BlackByte was not as active as other ransomware operations, but the researchers’ eyes were on it. . .
Which Companies Did BlackByte Ransomware Target?
According to information obtained by SOCRadar, the BlackByte ransomware group has so far attacked companies in the manufacturing, mining, food, beverage, healthcare, and construction sectors from the USA, France, Australia, Italy, Austria, Croatia, Chile, and Turkey.
No comments:
Post a Comment