Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks

The BlackByte ransomware gang is only posting a fraction of its successful attacks on its leak site this year, according to researchers from Cisco. 

The company’s cybersecurity arm, Talos, said it believes the group is only creating extortion posts for about 20% to 30% of its successful attacks. 

An analysis of the group's leak site shows it posted 41 victims in 2023 and just three so far in 2024. BlackByte has been highly active this year, but it’s unclear why the group isn’t posting more leaks, Cisco Talos said.  

BlackByte is responsible for several high-profile attacks on local governments like Newburgh, New York, and Augusta, Georgia, as well as organizations like the San Francisco 49ers and Yamaha. 

Cisco Talos researchers said several recent incident response investigations they participated in revealed that the group is evolving rapidly — often leading the way in exploiting vulnerabilities like CVE-2024-37085, a bug in ESXi software  highlighted by Microsoft last month. 

“Talos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the researchers said. “This highlights the speed with which ransomware groups like BlackByte can adapt their [tactics, techniques and procedures] to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack.”

The researchers said the ransomware-as-a-service (RaaS) group is believed to be an offshoot of the now-defunct Conti operation that emerged in late 2021. 

BlackByte has a history of scanning for and exploiting public-facing vulnerabilities, according to Cisco Talos, but the flexibility afforded by the RaaS model “allows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating and updating its tooling.” 

Critical Start cyberthreat researcher Callie Guenther said the exploitation of CVE-2024-37085 stood out because the products it affects — VMware ESXi hypervisors that allow servers to run multiple virtual machines and efficiently allocate computing resources. The focus on ESXi hypervisors by groups like BlackByte is particularly concerning because the technology is often central to the IT infrastructure and vital business applications of enterprises, she added.

“The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts,” she said.