BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing

  /     /     /  
Publicated : 23/11/2024   Category : security


BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing


Version 2.0 of the ransomware groups operation borrows extortion tactics from the LockBit 3.0 group.



The BlackByte ransomware group, which has connections to Conti, has resurfaced after a hiatus with a new social media presence on Twitter and new extortion methods borrowed from the better-known LockBit 3.0 gang.
According to reports, the
ransomware group is using various Twitter handles
to promote the updated extortion strategy, leak site, and data auctions. The new scheme lets victims to pay to extend the publishing of their stolen data by 24 hours ($5,000), download the data ($200,000) or destroy all the data ($300,000). Its a strategy the
LockBit 3.0 group
already pioneered.
It is not surprising BlackByte is taking a page out of LockBits book by not only announcing a version 2 of their ransomware operation but also adopting the pay to delay, download, or destroy extortion model, says Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, who calls the market for ransomware groups competitive and explains LockBit is one of the most prolific and active ransomware groups globally.
Hoffman adds it is possible BlackByte is trying to gain a competitive advantage or trying to gain media attention to recruit and grow its operations.
Although the
double-extortion model
 is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams, she says. It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted.
Oliver Tavakoli, CTO at Vectra, calls this approach an interesting business innovation.
It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom but want to hedge for a day or two as they investigate the extent of the breach, he says.
John Bambenek, principal threat hunter at Netenrich, points out ransomware actors have played around with a variety of models to maximize their revenue.
This almost looks like an experiment on if they can get lower tiers of money, he says. I just dont know why anyone would pay them anything except for destroying all the data. That said, attackers, like any industry, are experimenting with business models all the time.
BlackByte has remained one of the more common ransomware variants, infecting organizations worldwide and previously employing a worm capability similar to Contis precursor Ryuk. But Harrison Van Riper, senior intelligence analyst at Red Canary, notes that BlackByte is just one of several ransomware-as-a-service (RaaS) operations that have the potential to cause a lot of disruption with relatively common tactics and techniques.
Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful, he says. The option to extend the victims timeline is likely an effort to get at least some sort of payment from victims who may want extra time for a variety of reasons: to determine legitimacy and scope of the data theft or continue ongoing internal discussion on how to respond, to name a couple of reasons.
Tavakoli says cybersecurity pros should view BlackByte less as an individual static actor and more as a brand that can have a new marketing campaign tied to it at any time; he notes the set of underlying techniques to carry off the attacks seldom change.
The precise malware or entry vector utilized by a given ransomware brand may change over time, but the sum of techniques used across all of them are pretty constant, he says. Get your controls in place, ensure you have detection capabilities for attacks which target your valuable data, and run simulated attacks to test your people, processes and procedures.
Bambenek says that because BlackByte has made some mistakes (such as an error with accepting payments in the new site), from his perspective it may be a little lower on the skill level than others.
However, open source reporting says they are still compromising big targets, including those in critical infrastructure, he says. The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue than we saw with Colonial Pipeline.
In February, the FBI and US Secret Service released a
joint cybersecurity advisory
on BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing