Analysis of BlackByte Ransomware’s Go-Based Variants
May 2022 by Zscaler
Zscaler has released a new blog titled Analysis of BlackByte Ransomware’s Go-Based Variants, which explores two variants of the Go-based implementation of BlackByte ransomware.
BlackByte is a Ransomware-as-a-Service (RaaS) group which has been targeting corporations worldwide since July 2021. More recently, the authors redeveloped the ransomware using the Go programming language. The BlackByte Go variant was used in attacks described in an FBI advisory that warned BlackByte had compromised numerous businesses, including entities in US critical infrastructure sectors
They key points include:
• BlackByte is a full-featured ransomware family that first emerged around July 2021
• The ransomware was originally written in C# and later redeveloped in the Go programming language around September 2021
• The threat group exfiltrates data prior to deploying ransomware and leaks the stolen information if a ransom is not paid
• The group has demanded multi-million dollar ransoms from some victims
• BlackByte ransomware employs various anti-analysis techniques including a multitude of dynamic string obfuscation algorithms
• In early versions of the ransomware, file encryption utilized a hardcoded 1,024-bit RSA public key along with a 128-bit AES key that was derived from a file retrieved from a command and control server
• More recent BlackByte versions use Curve25519 Elliptic Curve Cryptography (ECC) for asymmetric encryption and ChaCha20 for symmetric file encryption