BlackByte ransomware gang is back with new extortion tactics

The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.

After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls.

The threat actors are calling this new iteration of their operation BlackByte version 2.0, and while it is not clear if the ransomware encryptor has changed as well, the gang has launched a brand new Tor data leak site.

The data leak site only includes one victim at this time but now has new extortion strategies that allow victims to pay to extend the publishing of their data by 24 hours ($5,000), download the data ($200,000), or destroy all the data ($300,000). These prices will likely change depending on the size/revenue of the victim.

However, as pointed out by cybersecurity intelligence firm KELA, BlackByte's new data leak site is not correctly embedding the Bitcoin and Monero addresses that "customers" can use to purchase or delete the data, making these new features currently broken.

The goal of these new extortion techniques is to allow the victim to pay to remove their data and for other threat actors to purchase it if they wish.

LockBit introduced these same extortion tactics with the release of their 3.0 version and are seen more as a gimmick than as viable extortion tactics.

Who is BlackByte?

The BlackByte ransomware operation launched in the summer of 2021 when the hackers began breaching corporate networks to steal data and encrypt devices.

Their highest-profile attack was against the NFL's 49ers, but a joint advisory from the FBI and Secret Service says they were also responsible for attacks on critical infrastructure sectors, including government facilities, financial, and food & agriculture.

The threat actors are known to breach networks using vulnerabilities and in the past have breached Microsoft Exchange servers using the ProxyShell attack chain.

In 2021, a flaw in the operation was found that allowed a free BlackByte decryptor to be created. Unfortunately, after the weakness was reported, the threat actors fixed the flaw.