If you’re hit by the BlackByte ransomware gang you now have a-la-carte options for paying them off, including delaying the consequences by 24 hours. This new “innovation” is part of a chain of experiments with data leak sites as ransomware outfits look to keep their names in the press and perhaps stumble across new techniques that boost their payment numbers.
This also marks a return to the market for BlackByte ransomware, which had appeared to take several months off (perhaps for an extended summer vacation) after a busy start to the year that included heavy targeting of critical infrastructure companies throughout the world.
Payment tiers added to prominent ransomware gang’s data leak site
The BlackByte ransomware gang showed off its new data leak site with its apparent first victim in some time, making prices for this unfortunate party visible: $5,000 to extend their “doomsday clock” by 24 hours, $200,000 to recover a copy of their stolen data, or $300,000 to have it destroyed and avoid the public exposure. However, security researchers noted that the payment options were nonfunctional for some time due to an error in placing the payment addresses.
Of the three options, the one to extend the clock seems most likely to be selected by victims. This could actually be helpful to them, giving them more time to coordinate a response and determine the extent of the attack (in addition to giving law enforcement more time to attempt to trace and claw back any eventual payments).
But the ultimate point of these options is likely to be about free media coverage rather than increasing profits. There has been a long chain of stunts of this nature playing out over the last three years, from “double extortion” to “triple extortion” to customer service chat portals for victims. The BlackByte ransomware group was likely inspired by contemporaries LockBit, who drummed up a lot of attention earlier in the summer by touting a new bug bounty program on their own data leak site. The “2.0” rebrand for BlackByte is likely a direct copy of LockBit’s similar move to the “3.0” version of their operations.
BlackByte ransomware gang less skilled than top outfits, but fearless and highly active
Believed to be based in Russia, the BlackByte ransomware gang has been operating since mid-2021. It has been one of the most prolific groups over the past year, and one of the least hesitant to go after critical infrastructure, it is not considered one of the most advanced or skilled. The group ran into trouble right out of the gate as it was found to be using the same encryption key with all of its victims, but has rebounded and improved its methods since a security firm provided the key to the public in October.
The BlackByte data leak site takes the increasingly standard approach of threatening to dump stolen victim data to the public (in addition to encrypting files with ransomware). Some security researchers warn that paying the group to “destroy” data may be futile as they have been observed selling it privately via an underground Tor site. No improvements to the gang’s ransomware have been spotted as of yet; the tweaks to the data leak site appear to be the whole of its “2.0” rebrand.