BlackByte attacks Encina Wastewater Authority

Encina Wastewater Authority has reportedly been attacked by the BlackByte ransomware group. Allegedly, the exfiltrated data includes invoices, contracts, payroll records, project details, HR documents, and employees’ personal details. The Encina Wastewater Authority (EWA) is a public agency located in Carlsbad, California. EWA provides wastewater treatment services to more than 379,000 residents in northwestern San Diego County. EWA’s facilities and services are essential for protecting the local ocean environment, preserving public health, and providing valuable water resources for the region. BlackByte is a RaaS that first emerged around July of 2021, and it has similarities to LockBit v2.0 in terms of advanced obfuscation capabilities. BlackByte is assessed to be Russian-operated, given they abort attacks on Cyrillic language systems. They made headlines when they attacked the San Francisco 49ers and the City of Augusta, but it was their targeting of critical infrastructure targets that earned them an alert from CISA and the FBI in 2022. BlackByte attack volumes were modest in 2022 compared to leading ransomware operators and were on pace to more than double in 2023. Ransom demands from BlackByte vary by target but have been observed to be in the millions of dollars, with a published $2 million dollar ransom levied against the City of Augusta in 2022. The BlackByte RaaS serves up multiple variants of ransomware, including versions written in Go, C, and .NET. Operators have exploited ProxyShell vulnerabilities for ingress and leveraged tools like Cobalt Strike and WinRAR. BlackByte uses its own custom exfiltration tool called Exbyte. BlackByte capabilities include bypassing security tools, process hollowing, and modification of Windows Firewall, VSS, as well as registry key values. BlackByte deploys Cobalt Strike beacons, abuses vulnerable drivers to evade security, and deploys custom backdoors to exfiltrate victim data. The group targets U.S. and global organizations in the energy, agriculture, financial services, and public sectors. BlackByte exfiltrates victim data for double extortion and maintains a leak site where it exposes or sells victim data. The operators even go so far as to link the auction site in the ransom note to scare victims.