The BlackByte ransomware group typically utilizes tactics, techniques and procedures (TTPs) that leverage vulnerable drivers to evade security measures to deploy a self-spreading ransomware encryptor. However, recent investigations by Talos IR reveal that BlackByte is deploying techniques that vary from its typical methods. BlackByte was observed exploiting a vulnerability in VMware ESXi (CVE-2024-37085), allowing for an authentication bypass.

Darren Guccione, CEO and Co-Founder at Keeper Security, comments, “The exploitation of CVE-2024-37085 represents an aggressive approach by BlackByte. It demonstrates a shift toward quickly iterating and updating tooling to capitalize on vulnerabilities at speed, before organizations are able to bolster their defenses. As ransomware groups like BlackByte continue to evolve their TTPs, organizations must invest in adaptive security measures that can keep up with the ever-evolving threat environment.

“The exploitation of vulnerabilities in ESXi by BlackByte and similar threat actors indicates a focused effort to compromise the core infrastructure of enterprise networks. Given that ESXi servers often host multiple virtual machines, a single successful attack can cause widespread disruption, making them a prime target for ransomware groups. BlackByte’s evolution to using advanced programming languages like C/C++ in their latest encryptor, BlackByteNT, reflects their intent to make their malware more resistant to detection and analysis with sophisticated anti-analysis and anti-debugging techniques.”

Why did BlackByte change tactics? 

Heath Renfrow, Co-founder of Fenix24, offers the following suggestion for why BlackByte may have adjusted its methods, saying, “The reason for this pivot is most likely due to the effectiveness and the number of systems still tied into Active Directory (AD), either directly or through vCenter. Gaining this level of access provides a one-stop shop where attackers can deploy their ransomware or move laterally to other hypervisors.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, elaborates, “Traditionally, ransomware groups rely on well-established techniques to gain initial access, escalate privileges, and execute their malicious payloads. However, the exploitation of a new, recently disclosed vulnerability (CVE-2024-37085) in VMware ESXi hypervisors indicates a strategic pivot.

“Previously, BlackByte and similar groups have frequently relied on exploiting known vulnerabilities in widely used software (e.g., ProxyShell vulnerabilities in Microsoft Exchange) or leveraging phishing campaigns and brute-force attacks to gain access. They have used web shells, Cobalt Strike, and credential-stealing tools like Mimikatz to move laterally across networks and escalate privileges within compromised environments. The group has historically used methods such as process hollowing, registry modifications, and manipulation of system components like Volume Shadow Copies to ensure the success of their ransomware execution.

“By exploiting CVE-2024-37085, BlackByte is demonstrating an ability to quickly integrate new vulnerabilities into their toolkit, moving away from purely relying on older, well-known techniques. This shift shows that they are willing to adopt cutting-edge methods to improve the effectiveness of their attacks. VMware ESXi hypervisors are critical in many enterprise environments, often hosting multiple virtual machines that run vital business applications. Targeting such infrastructure allows the attackers to cause significant disruption, increasing the pressure on victims to pay the ransom.”

Why is this significant? 

Guenther explains, “The focus on VMware ESXi hypervisors by groups like BlackByte is particularly concerning because these servers are often central to the IT infrastructure of enterprises. By compromising an ESXi server, attackers can potentially disrupt or gain control over multiple virtual machines running critical services, magnifying the impact of the attack. The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts.

“Overall, BlackByte’s ability to adapt and leverage both new vulnerabilities and sophisticated techniques like BYOVD reflects their intent to remain a potent threat in the ransomware landscape. The group's persistence in attacking ESXi servers highlights the importance of keeping such critical infrastructure updated and secured against the latest threats.”

How can security leaders defend against BlackByte or similar tactics? 

To protect against these sophisticated attacks, Guccione advises, “Defending against these threats requires regularly hardening and patching ESXi hosts to address vulnerabilities swiftly. Implementing multi-factor authentication for remote access, auditing VPN configurations and closely monitoring privileged access are essential to minimizing the risk of compromise. Additionally, securing authentication protocols, disabling unused vendor accounts and maintaining robust detection capabilities for unauthorized changes are crucial to securing these key systems from the increasingly sophisticated tactics we’re seeing from ransomware groups like BlackByte.”