BlackByte 2.0 Ransomware Employs Wide Range of Tools in 5 Days

The rapid rise and sophistication of ransomware enable threat actors to launch attacks more frequently and disrupt businesses and organizations that are lacking adequate preparation.

The researchers at Microsoft Incident Response recently investigated an intrusion in which it’s been the threat actor’s rapid attack progression, caused major disruptions for the victim organization in just five days.

To accomplish their goals, a wide range of tools and techniques were used by the threat actor during those five days to deploy BlackByte 2.0 ransomware.

TTPs Used

Here below we have mentioned all the TTPs used by the threat actor:-

  • Taking advantage of unsecured Microsoft Exchange Servers that are accessible online.
  • Enabling remote access by deploying a web shell.
  • Using existing tools to persist and gather information covertly.
  • For command and control (C2), setting up Cobalt Strike beacons.
  • Combining process hollowing with the utilization of vulnerable drivers to evade defensive mechanisms.
  • To enable long-term persistence, deployment of the backdoors that are custom-developed.
  • Deploying custom-developed tools to collect and exfiltrate data.

Attack chain

Exploiting the following ProxyShell vulnerabilities, the threat actor gained initial access to the victim’s environment through Microsoft Exchange Servers that are unpatched:-

BlackByte attack chain (Source – Microsoft)

By exploiting these vulnerabilities, the threat actor achieved the following abilities:-

  • Gain administrative access to the compromised Exchange host.
  • Retrieve user LegacyDN and SID data through Autodiscover requests.
  • To access the Exchange PowerShell backend, build a valid authentication token.
  • Using the New-MailboxExportRequest cmdlet to create a web shell and mimic domain admin users.

Upon device access, the threat actor established registry run keys to execute payloads upon user login each time. Here below we have mentioned those registry run keys:-

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Here, to achieve persistence the threat actor used Cobalt Strike, and the Microsoft Defender Antivirus flagged sys.exe as Trojan:Win64/CobaltStrike!MSR, downloaded from temp[.]sh (hxxps://temp[.]sh/szAyn/sys.exe) which was detected as Cobalt Strike Beacon.

Threat actors use legit remote access tools to blend in, and in this instance, for persistence and lateral movement, AnyDesk was utilized. 

This tool was installed as a service that ran from the following paths:-

  • C:\systemtest\anydesk\AnyDesk.exe
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe

AnyDesk log file ad_svc.trace revealed successful connections with anonymizer service IP addresses associated with:-

  • TOR
  • MULLVAD VPN

It’s been used by threat actors commonly to hide their source IP ranges. Moreover, security analysts detected the utilization of NetScan, a network discovery tool, by the threat actor to conduct network enumeration.

Using the following command the attacker disabled Microsoft Defender Antivirus, allowing them to execute Trojan:Win64/WinGoObfusc.LK!MT file:-

  • explorer.exe P@$$w0rd

Analysts found that explorer.exe is ExByte, a GoLang-based tool used in BlackByte ransomware attacks to collect and steal files from victim networks after reverse engineering it.

Capabilities of BlackByte 2.0 ransomware

Here below, we have mentioned the capabilities of BlackByte 2.0 ransomware:-

  • Antivirus bypass
  • Process hollowing
  • Modification/disabling of Windows Firewall
  • Modification of volume shadow copies
  • Modification of registry keys/values
  • Additional functionality

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers at Microsoft Incident Response:-

  • Prioritize patching for internet-exposed devices and establish a robust patch management process.
  • Deploy Microsoft Defender for Endpoint, an EDR solution, for real-time visibility into malicious activity across your network.
  • Enable cloud-based protection and configure your antivirus solution to block threats by ensuring regular updates for antivirus protection.
  • To safeguard against the disabling of Microsoft Defender Antivirus components, make sure to activate tamper protection.
  • Make sure to block all the traffic from the IPs that are listed in the IoC.
  • Make sure to block access from unauthorized public VPN services and incoming traffic from TOR exit nodes.
  • Limit administrative privileges to prevent authorized alterations to the system.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Critical Microsoft’s Time Travel Debugging Tool Vulnerability Let Attackers Mask Detection

Microsoft’s Time Travel Debugging (TTD) framework, a powerful tool for recording and replaying Windows program…

9 hours ago

ServiceNow Acquires Moveworks for $2.85 Billion to Boost AI Capabilities

In a landmark move to strengthen its position in the rapidly evolving artificial intelligence landscape,…

10 hours ago

Apple iOS 18.4 Beta 3 Released – What’s New!

Apple released iOS 18.4 Beta 3 on March 10, 2025, for developers, with a build…

10 hours ago

Researcher Hacks Embedded Devices to Uncover Firmware Secrets

In a recent exploration of embedded device hacking, a researcher demonstrated how to extract firmware…

11 hours ago

North Korean Hackers Use ZIP Files to Deploy Malicious PowerShell Scripts

North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics to…

11 hours ago

Ragnar Loader Used by Multiple Ransomware Groups to Bypass Detection

Ragnar Loader, a sophisticated toolkit associated with the Ragnar Locker ransomware group, has been instrumental…

11 hours ago