UPDATED 21:16 EDT / AUGUST 18 2022

SECURITY

BlackByte ransomware gang returns with new multitier ransom strategy

A ransomware gang with links to the Conti group has returned with a new campaign similar to the better-known LockBit gang.

BlackByte version 2.0 ransomware gang, as the group calls itself, is promoting a new leaks site and claims to have successfully targeted new victims. Bleeping Computer reported Wednesday that those behind the ransomware are also promoting their activities on Twitter Inc., including auctions for stolen data.

BlackByte’s leak site currently had only one victim listed, however. In a twist on traditional ransomware groups, BlackByte is using a multitier ransom and publication strategy. Victims are being given the opportunity to pay to delay the publishing of their data by 24 hours for $5,000, can download the data for $200,000, or destroy all the data for $300,000. As with any ransomware gang, paying any sum demanded comes with zero guarantees that those behind the attack will deliver on their promises.

A form of ransomware used by BlackByte previously was found to have a worm capability similar to the Conti ransomware group’s predecessor Ryuk ransomware and also undertakes similar techniques. Previous BlackByte victims include the San Francisco 49ers American football team in February.

“We should view BlackByte less as an individual static actor and more as a brand which can have a new marketing campaign tied to it at any time,” Oliver Tavakoli, chief technology officer at artificial intelligence cybersecurity company Vectra AI Inc., told SiliconANGLE. “The payment to delay the publishing of data is an interesting business innovation. It allows smaller payment to be collected from victims who are almost certain they won’t pay the ransom, but want to hedge for a day or two as they investigate the extent of the breach.”

Nicole Hoffman, senior cyber threat intelligence analyst at digital risk solutions provider Digital Shadows Ltd., said it’s not surprising that BlackByte has similarities to LockBit, such as pay-to-delay, download or destroy extortion models. LockBit 2.0 emerged with an attack on Accenture PLC in August 2021.

“It is realistically possible that BlackByte is trying to gain a competitive advantage or even trying to gain media attention in an attempt to recruit and grow operations,” Hoffman said. “Although the double extortion model is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams. It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted.”

Image: CrowdStrike

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU