BlackByte Adopts New Tactics, Targets ESXi Hypervisors

Written by

The ransomware group BlackByte, believed to be a spin-off of the infamous Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability to gain control over virtual machines and escalate privileges within compromised environments. 

The pivot, discovered by Cisco Talos Incident Response, shows BlackByte’s ability to quickly integrate new vulnerabilities into its toolkit.

Exploitation of ESXi Vulnerability

BlackByte has been observed leveraging CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi, allowing attackers to gain full administrative access to hypervisors. 

According to Callie Guenther, senior manager at Critical Start, this approach marks a significant departure from BlackByte’s traditional techniques, such as exploiting known vulnerabilities in widely used software like Microsoft Exchange or using phishing and brute-force attacks. 

“By exploiting CVE-2024-37085, BlackByte is demonstrating an ability to quickly integrate new vulnerabilities into their toolkit, moving away from purely relying on older, well-known techniques,” Guenther said.

VMware ESXi hypervisors are critical in many enterprise environments, often hosting multiple virtual machines that run vital business applications. Targeting such infrastructure allows the attackers to cause significant disruption, increasing the pressure on victims to pay the ransom.”

Sophisticated Ransomware Techniques

Once inside the network, BlackByte quickly escalates privileges, often creating and manipulating Active Directory domain objects to gain control over critical systems. 

The group’s use of “Bring Your Own Vulnerable Driver” (BYOVD) techniques, where they deploy outdated or flawed drivers to disable security tools, further complicates detection and remediation efforts. 

The latest ransomware variant observed by Talos Incident Response used built-in credentials stolen from victims, demonstrating a high degree of customization and a move toward more complex anti-analysis measures.

Read more on evolving ransomware tactics: Building Resilience Against Evolving DDoS and Ransomware Attacks

Heath Renfrow, co-founder of Fenix24, noted that by exploiting this vulnerability, “attackers are granted administrative privileges over the ESXi hypervisor,” giving them control over multiple virtual machines, which increases the overall impact of the attack. 

This level of access allows for seamless lateral movement, data exfiltration and ransomware deployment across critical infrastructure.

Implications for Cybersecurity Defenders

According to security experts, BlackByte’s quick adaptation to emerging vulnerabilities underscores the challenges faced by security defenders. 

Darren Guccione, CEO of Keeper Security, emphasized the importance of hardening and patching critical systems like ESXi to address vulnerabilities swiftly. 

“BlackByte’s evolution to using advanced programming languages like C/C++ in their latest encryptor, BlackByteNT, reflects their intent to make their malware more resistant to detection and analysis with sophisticated anti-analysis and anti-debugging techniques,” Guccione explained.

“Defending against these threats requires regularly hardening and patching ESXi hosts to address vulnerabilities swiftly.”

To counter these threats, experts also recommend implementing multi-factor authentication (MFA), auditing VPN configurations, closely monitoring privileged access and disabling unused vendor accounts.

Image credit: T. Schneider / Shutterstock.com

What’s hot on Infosecurity Magazine?