FBI releases joint Advisory with U.S. Secret Service against BlackByte ransomware

On Friday 11^th of February 2022, the US Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory with the U.S. Secret Service (USSS) about indicators of compromise associated with BlackByte ransomware. The joint advisory alert details indicators of compromise (IOCs) from previous BlackByte ransomware attack which organisations can use to detect and defend against future BlackByte’s attacks. The joint advisory also reveals “as of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).”

Some of the key IOCs associated with BlackByte activity that have been shared include MD5 hashes of suspicious ASPX files discovered on compromised Microsoft Internet Information Services (IIS) servers and a list of commands the ransomware operators used during their attacks.

The joint Advisory also listed recommended measures which organisations should take to mitigate possible future BlackByte ransomware attacks:

• Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts and enable real time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.