BlackByte Ransomware

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Examples include 'BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file' and 'Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.'

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

XMRIG Driver Loaded ... T1543.003 ... Windows Suspicious Driver Loaded Path

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

XMRIG Driver Loaded ... T1543.003 ... Windows Suspicious Driver Loaded Path

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

Executables Or Script Creation In Temp Path ... T1036

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

"BlackByte Ransomware uses the SetThreadExecutionState API to prevent the victim system from entering sleep"

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

"...can enumerate registry keys... backdoor can query the Windows Registry to gather system information... executed the reg query command... used RegQueryValueExA..."

BlackByte Ransomware identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads. Ember Bear has used tools such as NMAP for remote system discovery and enumeration in victim environments.

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"BlackByte Ransomware uses the SetThreadExecutionState API to prevent the victim system from entering sleep"

Multiple malware families (e.g., Avaddon, Bazar, Clop, Ryuk, REvil, LockBit, Zeus Panda) check OS language/keyboard layout/locale and terminate or alter execution if the system matches excluded languages (commonly Russian/CIS) or does not match desired target languages (e.g., Spanish/Portuguese, Arabic, Persian).

Multiple ransomware families and actors are described as encrypting victim filesystems/drives for extortion (e.g., Akira, Conti, Ryuk, WannaCry, NotPetya, etc.), often appending new extensions and dropping ransom notes.

Windows Excessive Service Stop Attempt ... T1489 ... Excessive Attempt To Disable Services

Multiple ransomware/wiper families are described as deleting Volume Shadow Copies and other recovery artifacts using built-in Windows tooling (e.g., vssadmin.exe delete shadows /all /quiet, wmic.exe shadowcopy delete, wbadmin.exe delete catalog -quiet) and disabling recovery (e.g., bcdedit /set {default} recoveryenabled no).

The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR)... adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload.

BlackByte Ransomware modifies the victim Registry to prevent system recovery; ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption.

Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.

The content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'

BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'

The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing.