The Increasing Menace of Small Ransomware Syndicates
In recent years, ransomware operations have emerged as highly profitable cybercrime schemes. Numerous companies have suffered immense financial, data, and reputation losses due to such attacks. Typically, cybersecurity researchers tend to concentrate on prominent ransomware groups that run extensive Ransomware-as-a-Service (RaaS) operations. These groups usually comprise highly skilled developers and cybercriminals, sometimes even receiving backing from state-sponsored entities.
The abundance of technical information on ransomware operations has led to the emergence of new players in this space. Despite lacking a data leak blog or engaging in high volumes of activities, these groups are developing their toolkits and evolving their tactics to target larger organizations without much attention from cybersecurity experts.
Cyble Research and Intelligence Lab (CRIL) noticed one such variant of ransomware, BlackBit. In September 2022, BlackBit ransomware was first discovered. The absence of any leak site activity implies that the ransomware is not currently extracting data from victim systems. We suspect that it may still be in its early stages of operation.
AhnLab recently published an article indicating that this particular ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that works on the RaaS model. The source code of the BlackBit indicates the ransomware is a copy of the LokiLocker with some cosmetic changes such as icons, name, color scheme, etc.
BlackBit ransomware is a sophisticated strain with several capabilities to establish persistence, defense evasion, and impair recovery. Additionally, it incorporates three distinct methods for presenting payment information to the victim. The methods include dropping ransom notes, displaying pop-ups when the victim tries to open encrypted files, and presenting an HTA page via mshta.exe.
Technical Details
The ransomware binary we analyzed is a 32-bit executable built using a .NET compiler and protected with .NET Reactor. The file is named “svchost.exe” and has a SHA256 hash of 1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f. In addition to being packed, the ransomware employs virtual functions and multithreading techniques to complicate analysis.
More information on the BlackBit Ransomware file is provided in the figure below.
Kill Switch
When the ransomware is executed, it first checks the keyboard layout of the victim’s system using a killswitch. If the system language is determined to be Persian, the ransomware terminates itself. However, if the language is not Persian, the ransomware proceeds with further operations. The figure below shows the ransomware is comparing the system language with “Persian”.
Mutex
Once the ransomware has identified a system to infect, it creates a mutex object and locks it to ensure that only one instance of the ransomware is running at any given time. This helps to prevent conflicts between multiple instances of ransomware and ensures that the ransomware is executed in a controlled and predictable manner.
The figure below shows the ransomware successfully Locking mutex.
Persistence
Subsequently, the ransomware establishes persistence on the infected system by copying itself to various locations. Specifically, it drops a copy of itself in the “C:\ProgramData\” and “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folders and renames itself as “winlogon.exe”. This ensures that the ransomware is executed automatically when the system starts, or the user logs in. The figure below shows that the ransomware drops itself into the startup folder.
After establishing the startup entry, it copies itself within the “C:\Users<user>\AppData\Roaming” folder, disguised as “winlogon.exe”. The ransomware is dropped as a hidden file to conceal its presence, making it invisible to victims. Subsequently, it creates a Task Scheduler entry for the “winlogon.exe” file using the command:
- schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users<user>\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
This entry ensures that the ransomware executes each time a user logs into the system.
The below figure shows the Task Scheduler entry created by the BlackBit Ransomware.
Impairing Data Recovery
After this, it executes specific commands via cmd.exe to remove all backups from the infected system. BlackBit uses multithreading to execute individual commands to impair recovery, such as deleting shadow copies and system backup. Ransomware also disables recovery mode in the system.
The ransomware uses the following commands to disable data backup:
- “C:\Windows\System32\cmd.exe” /C vssadmin delete shadows /all /quiet
- “C:\Windows\System32\cmd.exe” /C wbadmin DELETE SYSTEMSTATEBACKUP
- “C:\Windows\System32\cmd.exe” /C wmic shadowcopy delete
- “C:\Windows\System32\cmd.exe” /C wbadmin delete catalog -quiet
- “C:\Windows\System32\cmd.exe” /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
- “C:\Windows\System32\cmd.exe” /C bcdedit /set {default} recoveryenabled no
Disabling Windows Defender and Firewalls
Following the removal of all backups and recovery, the ransomware proceeds to disable windows defender and the system’s firewall. This is achieved by executing a set of commands through a batch file using cmd.exe. Initially, the ransomware employs the following commands to disable Windows Defender:
- “C:\Windows\System32\cmd.exe” /C netsh advfirewall set currentprofile state off
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring: 0x00000001
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection: 0x00000001
- Set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
- Set registry value: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware: 0x00000001
After disabling Windows Defender, the ransomware disables the firewall
- “C:\Windows\System32\cmd.exe” /C netsh firewall set opmode mode=disable
The figure below shows the BlackBit Code to disable the Windows Defender.
Disabling Task Manager
Additionally, BlackBit ransomware also disables the Task Manager to prevent monitoring of system processes and activities. It achieves this by dropping a batch file named “wvtymcow.bat” with a SHA256 hash of 708511c356493e41ca103db51b8df3fb57898ddb2bb7cf4f11560facde9425ed in the startup folder located at “C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”.
The batch file contains a single command, “REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f”.
The dropped file and the contents of the batch file are shown in the figure below.
Terminating Processes and Services
While disabling the security software, the ransomware also terminates several processes and stops specific services to ensure effective encryption of the victim’s files. The below table shows the processes targeted by the ransomware.
| Wxserver | wxserverview | sqlservr | Ragui |
| Supervise | Culture | rtvscan | Defwatch |
| Winword | qbw32 | qbdbmgr | Qbupdate |
| qbcfmonitorservice | axlbridge | qbidpservice | Httpd |
| Fdlauncher | msdtsrvr | tomcat6 | zhudongfangyu |
| vmware-usbarbitator64 | vmware-converter | dbsrv12 | Msftesql |
| Sqlagent | sqlbrowser | sqlwriter | Oracle |
| Ocssd | Dbsnmp | synctime | Agntsvc |
| mydesktopqos | isqlplussvc | xfssvccon | mydesktopservice |
| Ocautoupds | Agntsvc | encsvc | firefoxconfig |
| Tbirdconfig | Ocomm | Mysqld | mysqld-nt |
| mysqld-opt | dbeng50 | sqbcoreservice | Excel |
| Infopath | msaccess | mspub | Onenote |
| Outlook | powerpnt | steam | Thebat |
| thebat64 | thunderbird | Visio | Winword |
| Wordpad |
The ransomware also stops following services.
| defwatch | ccevtmgr | ccsetmgr | savroam |
| sqlserv | sqlagent | sqladhlp | culserver |
| rtvscan | sqlbrowser | qbidpservice | quickboooks.fcs |
| qbcfmonitorservice | sqlwriter | msmdsrv | tomcat6 |
| zhundongfangyu | vmware-usbarbitator64 | vmware-converter | dbsrv12 |
| dbeng8 | wrapper | mssqlserver | mssql$contoso1 |
| msdtc | sqlserveragent | vds |
Staging for encryption
Ransomware creates a registry key HKEY_CURRENT_USER\SOFTWARE\BlackBit, which contains full encryption keys, a public key, and a timer to delete the data, as shown below.
After creating the registry key, the ransomware drops Cpriv.KTBR at “C:\ProgramData”, which contains the full key in Base64 format. Ransomware also warns not to delete the file as it will result in complete data loss.
Encryption
Now the BlackBit ransomware proceeds with file encryption. The ransomware encrypts files excluding the extensions .exe, .dll, and .sys, to prevent permanent damage to the system. After encryption, the ransomware renames the filename in the following format.
- [RickyMonkey@onionmail.org] [Unique System ID]Actual -FileName.BlackBit
The below figure shows the encrypted files and their extensions.
Ransom Note
During the encryption process, BlackBit drops a ransom note named “Restore-My-Files.txt” that contains instructions for the victim to connect with the ransomware operators and includes the system ID for identification.
The figure below displays the ransom note dropped by BlackBit.
In addition to dropping the ransom note, the ransomware also creates the following registry entry :
- Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BlackBit\OpenWithList
The figure below shows the registry entry for the dujwyavn.exe.
This registry ensures that whenever victims try to open a file with a .BlackBit extension, the dujwyavn.exe executes automatically. The file dujwyavn.exe is dropped at C:\ProgramData as a hidden file that pops up a ransom window when the victim tries to open encrypted files.
The figure below shows the pop-up window.
When the victim clicks on the OK button, it again opens an HTA file using mshta.exe.
The figure below shows the code for dujwyavn.exe.
The figure below shows the contents of the ransom note shown by mshta.exe.
Some interesting behavior observed in this ransomware variant is that it continues to monitor the victim’s system even after encrypting their files, waiting for any new files to be created that can be encrypted. This means that if the victim creates new files or modifies existing ones, the ransomware will immediately encrypt them, adding the “.BlackBit” extension to their filename and locking the victim out of their data. This behavior allows the attackers to maximize the impact of their attack.
Conclusion
BlackBit Ransomware is a dangerous ransomware variant equipped with numerous malicious features. Although the full extent of its impact is not yet clear, our analysis suggests that BlackBit is a variant of LokiLocker ransomware. Ransomware such as BlackBit is on the rise, and we will continue to see more such ransomware in the future.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of BlackBit Ransomware
- Loss of Valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 T1204 T1047 | Command and Scripting Interpreter User Execution Windows Management Instrumentation |
| Defense Evasion | T1564 T1070 | Hidden Window Delete shadow drive data |
| Discovery | T1082 T1083 T1057 | System Information Discovery File and Directory Discovery Process Discovery |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 90bae9356dc021172d0ff06603e7a4cf 7fd07c934ce9b7c4ad902408ed528acf4ce32ddb 1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f | MD5 SHA1 SHA256 | BlackBit Ransomware executable |
| 9d898e39591f9a8b49fa27841acb7392 e9b35995bf772cd11be13bc5c9ac93c846f00405 b8ffd72534056ea89bfd48cbe6efb0b4d627a6284a7b763fdb7dfd070c1049ba | MD5 SHA1 SHA256 | BlackBit Ransomware executable |
| d37b49b0a53fd07895ca4dc956cbc459 2f052cc3e64870b8ac28efb2d79bc2b16dff3e8e 43c6aef23a90c742274d6db2148a5cb5027c82e94ba2db4ae4b4184956e370b5 | MD5 SHA1 SHA256 | BlackBit Ransomware executable |
| 8ead445620033ecee6c426cfbeac214b b04ccaa781be7521d50faa36db269f71ac56af58 cd29a952a51204f2e8744271b822c277b63ad8a54e3a6422e342eb9c53df0bda | MD5 SHA1 SHA256 | BlackBit Ransomware executable |
| bf528ecf7601043fe7931ed1fdd1d081 3cac81473dd91e7adf4516f1805bc5bdfeb562e4 b3324b629febeefb17201abb52bc66094b4ffb292f8aa3a549f39e7e11c63694 | MD5 SHA1 SHA256 | BlackBit Ransomware executable |
