Blackbyte's new exfiltration tool.

Symantec, a unit of Broadcom, warns that an affiliate of the BlackByte ransomware-as-a-service operation is using a new data exfiltration tool called “Exbyte.” The researchers state, “The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service. On execution, Exbyte performs a series of checks for indicators that it may be running in a sandboxed environment. This is intended to make it more difficult for security researchers to analyze the malware. To do this, it calls the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs.”

Steady growth in criminal marketshare.

Symantec adds that the BlackByte operation has been steadily growing since the beginning of the year:

“BlackByte is a ransomware-as-a-service operation that is run by a cyber-crime group Symantec calls Hecamede. The group sprang to public attention in February 2022 when the U.S. Federal Bureau of Investigation (FBI) issued an alert stating that BlackByte had been used to attack multiple entities in the U.S., including organizations in at least three critical infrastructure sectors. In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks.”

BlackByte fills a gap left by the departure of other leading ransomware gangs.

The researchers conclude that BlackByte is filling a gap left by the dissolution of other major ransomware offerings, and “[t]he fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.”