Infiltrate, Encrypt, and Extort in Just 5 Days

Jul 07, 2023Swati KhandelwalEndpoint Security / Ransomware

Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify.

Recently, Microsoft’s Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes’ terrifying velocity and damaging nature.

The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it.

This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations.

BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data.

To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—an approach that has proven highly successful. By exploiting this vulnerability, they gain initial access to the target networks and set the stage for their malicious activities.

The ransomware further employs process hollowing and antivirus evasion strategies to guarantee successful encryption and circumvent detection.

Furthermore, web shells equip them with remote access and control, enabling them to maintain a presence within the compromised systems.

The report also highlighted the deployment of Cobalt Strike beacons, which facilitate command and control operations. These sophisticated tools give attackers a wide range of skills, making it more difficult for organizations to defend against them.

Alongside these tactics, the investigation uncovered several other troubling practices cybercriminals use. They utilize “living-off-the-land” tools to blend in with legitimate processes and escape detection.

The ransomware modifies volume shadow copies on infected machines to prevent data recovery through system restore points. The attackers also deploy specially-crafted backdoors, ensuring continued access for the attackers even after the initial compromise.

The disturbing upsurge in ransomware attacks requires immediate action from organizations worldwide. In response to these findings, Microsoft has provided some practical recommendations.

Organizations are primarily urged to implement robust patch management procedures, ensuring they timely apply critical security updates. Enabling tamper protection is another essential step, as it strengthens security solutions against malicious attempts to disable or bypass them.