Blacktail Ransomware Targets Windows, Linux & VMware

A ransomware operation named ‘Buhti’ is targeting Windows, Linux and VMware systems using the leaked code of the LockBit and Babuk ransomware. The threat actors behind the operation are being tracked under the name ‘Blacktail.’

For Blacktail’s Windows-based attacks, they use a modified LockBit 3.0 variant named “LockBit Black,” a tool leaked on Twitter by a disgruntled developer in September 2022. Once the variant infiltrates a system, it encrypts files, making them inaccessible to the user leaving a note demanding a ransom for release. Further specifics of the modified variant are yet to be learned.

For Linux attacks, Blacktail leverages a payload based on the Babuk source code that was posted on a Russian-speaking hacking forum in September 2021. Babuk’s proven ability to compromise VMware ESXi and Linux systems makes it attractive to several ransomware groups.

Blacktail also has its own custom exfiltration tool used to blackmail victims, employing a tactic known as “double extortion.” This tool is a Go-based stealer that can receive command-line arguments that specify the targeted directories in the filesystem. The tool targets various different file types, then copies them into a ZIP archive to be exfiltrated to Blacktail’s servers.

The emergence of Blacktail and its ransomware operation, Buhti, showcases how swiftly threat actors can become operational using readily available ransomware tools.

Acreto Solution

Acreto’s robust solutions can be leveraged to address and counteract the threats posed by Blacktail. Here’s how:

• By creating dedicated security infrastructure per application or use-case, Acreto’s ecosystems effectively isolate systems targeted by Blacktail, reducing the risk of wider network compromise. The ability to limit access to only those users, devices, systems, and applications that need to interoperate could provide an additional layer of security, making it harder for Blacktail to move laterally across networks.

• By eliminating all access from the internet while allowing interoperation among authorized systems, Acreto’s ecosystems minimize the attack surface available to Blacktail. Micro-segmentation and nano-segmentation could further restrict access and isolate data flows, making it difficult for Blacktail to infiltrate and exfiltrate data.

• Encrypted Secure Scan: This feature would be valuable in detecting and blocking any malicious content embedded in encrypted payloads used by Blacktail. By decrypting, scanning, and re-encrypting communications in real-time, Acreto could effectively catch Blacktail in its tracks.

• Acreto’s range of control features would allow fine-grained monitoring and restriction of network protocol, application protocol, application program, and content, potentially detecting and blocking Blacktail’s activities. The data leak prevention feature could further limit the ability of Blacktail to exfiltrate sensitive data.

• Acreto’s threat prevention capabilities, encompassing both known threats and zero-day behavioral analysis, help detect and block Blacktail’s ransomware activities, preventing them from causing harm.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• Leaked Ransomware Code Usage Blacktail uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.

• Double-Extortion Tactic The group has created a custom data exfiltration utility that they use to blackmail victims, a tactic known as “double-extortion.”

  • When attacks are successful, the wallpaper of compromised computers is altered to display a ransom note, and all encrypted files receive the “.buthi” extension.

• LockBit Black Creation For attacks on Windows, Blacktail uses a slightly modified LockBit 3.0 variant codenamed “LockBit Black.”

• File Encryption and Warning Successful attacks change the wallpaper of the breached computers to tell victims to open the ransom note while all encrypted files receive the “.buthi” extension.

• Babuk Payload for Linux Attacks For Linux attacks, Blacktail uses a payload based on the Babuk source code.

• Exploitation of Vulnerabilities The group exploits vulnerabilities like CVE-2023-27350 and CVE-2022-47986 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise on target computers, using them to steal credentials and move laterally into compromised networks, steal files, launch additional payloads, and more.

• Use of Custom Exfiltration Tool Blacktail uses its own custom exfiltration tool, a Go-based stealer that can receive command-line arguments that specify the targeted directories in the filesystem.

• File Type Targeting The exfiltration tool targets a wide array of file types for theft, which are then copied into a ZIP archive and later exfiltrated to Blacktail’s servers. These file types include:

  • pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx, and yaml.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.