The BlackByte ransomware operators leverage ProxyShell Microsoft Exchange vulnerabilities for initial access along with Cobalt Strike for lateral movement. First the attacker install web shells on the compromised machine. Web Shells are small scripts uploaded to web servers that allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server. The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process. After taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.
BlackByte Ransomware Signatures
Family: Trojan:Script/Phonzy.A!ml
MD5: 9344afc63753cd5e2ee0ff9aed43dc56
SHA256: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
BlackByte Ransomware Download