On Friday, the FBI and Secret Service released a joint advisory indicating the BlackByte ransomware gang compromised multiple organizations within three US critical infrastructure sectors in the last three months. BlackByte is a Ransomware-as-a-Service (RaaS) group that offers encryption software, ransom negotiation, and money laundering services to cyber criminals in return for a percentage of the ransom. Individual compromises may have distinct criminal groups involved during different stages of the attack.
The advisory contains a number of recent indicators of Blackbyte ransomware gang activity. A number of hashes, suspicious file names, and base64 encoded powershell commands are included as well as a detailed list of commands executed during attacks. We recommend organizations use these commands as behavioral indicators to search endpoint logs for indications of past or ongoing compromise. Ransomware actors can have short time to ransom (TTR) measured in days, depending on the amount of time allocated to interfere with backup services.