BlackByte ransomware group added the City of Collegedale, Tennessee, to its victim list on Easter Sunday.
The alleged City of Collegedale cyber attack is yet to be confirmed. The official website was accessible at the time of writing.
The ransomware group has not disclosed much information regarding the City of Collegedale cyber attack claimed by them.
The Cyber Express reached out to confirm the City of Collegedale cyber attack but is yet to receive a response regarding the same.
BlackByte ransomware group
The City of Collegedale cyber attack, if confirmed, is yet another target for the hacker collective. The BlackByte ransomware group has targeted organizations with data theft tools and employing double extortion techniques to make the most of the heist.
The group was reported to be using a tool called ‘ExByte’ to steal data from infected Windows devices.
Double extortion is a means of making sure that the targeted entities pay a ransom knowing that their data is not just encrypted but also exfiltrated, which they need to pay to decrypt and not leaked/ sold online.
Triple extortion is the more recently employed technique where the ransomware group encrypts, exfiltrates, and misuses individual user data to extort money.
They also use the stolen credentials to launch different forms of cyber attacks like a Distributed Denial of Service (DDoS) attack that further slows the systems or makes them inaccessible.
ExByte is made in the Go programming language and is a data exfiltration tool.
The BlackByte ransomware group has been gaining initial access by exploiting ProxyShell vulnerabilities in unpatched software. The group has been known to target Exchange Servers of corporate entities since July 2022.
Among their targets were food and beverage companies, manufacturing, healthcare, mining, and construction entities. They were mostly based in Australia, Chile, Croatia, France, Italy, the United States of America, and Turkey.
Detection evasion techniques
BlackByte evades detection by deleting taskmgr which is the task manager and resmon services, which is the resource monitor.
The group’s ransomware tool also stops the windefend service or the Windows defender using the obfuscate powershell command.
The hacker collective uses the same symmetric key for encrypting and decrypting files on the targeted device.
Interestingly, security researchers found a free decryption tool for the BlackByte ransomware.
When the hacker collective found that the decryption tools were being used, they posted a warning
They further threatened not to employ the found decryptors because it may instead cause further damage to the system and that it may ‘break everything.’