BlackByte ransomware exploits vulnerability in VMware ESXi
The BlackByte ransomware group typically employs tactics that use vulnerable drivers to avoid security measures in order to deploy a self-spreading ransomware encryptor. However, recent investigations by Talos IR show that BlackByte is using different techniques than usual. BlackByte was seen exploiting a vulnerability in VMware ESXi (CVE-2024-37085) to bypass authentication.
Darren Guccione, CEO and Co-Founder at Keeper Security, remarked, “The exploitation of CVE-2024-37085 showcases an aggressive approach by BlackByte, indicating a move towards quickly taking advantage of vulnerabilities before organizations can strengthen their defenses. As ransomware groups like BlackByte evolve, organizations must invest in adaptive security measures to keep pace with the ever-changing threat landscape.
“The exploitation of ESXi vulnerabilities by BlackByte suggests a focused effort to compromise enterprise network infrastructure. With ESXi servers often housing multiple virtual machines, a successful attack can cause widespread disruption, making them prime targets for ransomware groups. BlackByte’s shift to using advanced programming languages like C/C++ in their latest encryptor, BlackByteNT, shows their intention to make their malware more resistant to detection and analysis with sophisticated anti-analysis and anti-debugging techniques.”
Why did BlackByte change tactics?
Heath Renfrow, Co-founder of Fenix24, suggests that BlackByte may have adjusted its methods due to the effectiveness and prevalence of systems connected to Active Directory (AD) or vCenter. Gaining this level of access allows attackers to easily deploy ransomware or move laterally to other hypervisors.
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, explains, “Traditionally, ransomware groups rely on established techniques for initial access, privilege escalation, and executing malicious payloads. However, the exploitation of a new vulnerability (CVE-2024-37085) in VMware ESXi indicates a strategic shift.
“By exploiting CVE-2024-37085, BlackByte shows an ability to quickly incorporate new vulnerabilities into their toolkit. This move demonstrates their willingness to adopt cutting-edge methods to enhance their attacks’ effectiveness. Targeting critical VMware ESXi hypervisors allows attackers to cause significant disruption, increasing pressure on victims to pay the ransom.”
Why is this significant?
Guenther notes, “The focus on VMware ESXi hypervisors by groups like BlackByte is concerning as these servers are vital to enterprise IT infrastructure. By compromising an ESXi server, attackers can disrupt or gain control over multiple virtual machines running crucial services, amplifying the impact of the attack. BlackByte’s adoption of the CVE-2024-37085 vulnerability reflects their understanding of the value in targeting these systems for potential ransom payouts.
“Overall, BlackByte’s ability to adapt and leverage new vulnerabilities and sophisticated techniques like BYOVD shows their commitment to remaining a significant threat in the ransomware landscape. The group’s persistence in attacking ESXi servers emphasizes the importance of securing critical infrastructure against the latest threats.”
How can security leaders defend against BlackByte or similar tactics?
To protect against these advanced attacks, Guccione recommends regularly hardening and patching ESXi hosts to address vulnerabilities promptly. Implementing multi-factor authentication for remote access, auditing VPN configurations, and monitoring privileged access are crucial in reducing the risk of compromise. Securing authentication protocols, disabling unused vendor accounts, and maintaining strong detection capabilities for unauthorized changes are essential in securing key systems from the increasingly sophisticated tactics employed by ransomware groups like BlackByte.
