The BlackByte ransomware operators leverage ProxyShell Microsoft Exchange vulnerabilities for initial access along with Cobalt Strike for lateral movement. First the attacker install web shells on the compromised machine. Web Shells are small scripts uploaded to web servers that allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server. The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process. After taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.
BlackByte Ransomware Signatures
BlackByte Ransomware Download