The US Federal Bureau of Investigation (FBI) announced that the BlackByte ransomware group has breached the networks of at least three organizations from critical US infrastructure sectors over the past three months.
This was first revealed in a joint cybersecurity advisory released on Friday with the US Secret Service.
“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture),” the FBI said. “BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.”
The advisory focused on providing indicators of compromise (IOCs) that organizations can use to detect and protect themselves against BlackByte’s attacks.
The IOCs shared in the advisory for the BlackByte attacks include some ASPX files discovered on compromised Microsoft Internet Information Services (IIS) servers and a list of commands the ransomware threat actors used during attacks.
On Saturday, the NFL’s San Francisco 49ers confirmed in a media statement that they fell victim to a ransomware attack by BlackByte (which claimed to have stolen data from the organization). The 49ers said that the attack caused a temporary disruption to sectors of their IT network.
BlackByte’s ransomware operation has been active since at least July, when it first started targeting corporate victims worldwide.
The gang is known for using security vulnerabilities (including Microsoft Exchange Servers) in order to initially gain access to a corporate network.
The agencies concluded the joint cybersecurity advisory by sharing a list of preventive measures that admins could deploy to help defend against BlackByte ransomware attacks.