BlackByte’s Sneaky Pivot: From Vulnerable Devices to VMware ESXi Exploits
BlackByte ransomware has shifted its focus to exploiting VMware ESXi hypervisors and using victim-sanctioned remote desktop software. Although thought to be a splinter from the defunct Conti group, BlackByte remains active, with many attacks going unreported as victims opt to pay ransoms.
Hot Take:
Ah, BlackByte, the chameleons of the ransomware world! Pivoting from vulnerable devices to VMware ESXi hypervisors faster than you can say “CVE-2024-37085.” It’s almost as if they’re trying to win the “Most Versatile Cybercriminals” award. And using remote desktop software sanctioned by the victim organization? That’s like robbing a bank with the bank manager’s own keys. Bravo, BlackByte, bravo. Just don’t expect an Oscar for this performance!
Key Points:
– BlackByte is now targeting flawed VMware ESXi hypervisors, leveraging CVE-2024-37085.
– They use remote desktop software sanctioned by victims, avoiding commercial alternatives.
– Only 20-30% of BlackByte’s successful attacks appear on their data leak site.
– BlackByte possibly emerged from the defunct Conti ransomware group.
– The group is known for using vulnerable drivers and legitimate commercial tools to bypass security measures.