1. Home
  2. Groups
  3. BlackByte

BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]

ID: G1043
Associated Groups: Hecamede
Contributors: Kaung Zaw Hein
Version: 1.0
Created: 16 December 2024
Last Modified: 09 March 2025
Version Permalink

Associated Group Descriptions

Name Description
Hecamede

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .003 Access Token Manipulation: Make and Impersonate Token

BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.[4]
Enterprise T1087 .002 Account Discovery: Domain Account

BlackByte has used tools such as AdFind to identify and enumerate domain accounts.[4]
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

BlackByte staged encryption keys on virtual private servers operated by the adversary.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.[4]
Enterprise T1560 Archive Collected Data

BlackByte compressed data collected from victim environments prior to exfiltration.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BlackByte has used Registry Run keys for persistence.[4]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BlackByte used encoded PowerShell commands during operations.[1] BlackByte has used remote PowerShell commands in victim networks.[4]
.003 Command and Scripting Interpreter: Windows Command Shell

BlackByte executed ransomware using the Windows command shell.[1]
Enterprise T1136 .002 Create Account: Domain Account

BlackByte created privileged domain accounts during intrusions.[5]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

BlackByte modified multiple services on victim machines to enable encryption operations.[3] BlackByte has installed tools such as AnyDesk as a service on victim machines.[4]
Enterprise T1486 Data Encrypted for Impact

BlackByte has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for encryption, but later versions use unique keys per victim.[1][2][3][4][5]
Enterprise T1491 .001 Defacement: Internal Defacement

BlackByte left ransom notes in all directories where encryption takes place.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell.[1] BlackByte uses PowerShell commands to disable Windows Defender.[2]
Enterprise T1482 Domain Trust Discovery

BlackByte enumerated Active Directory information and trust relationships during operations.[1][4]
Enterprise T1480 Execution Guardrails

BlackByte stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics.[2] BlackByte has used ransomware variants requiring a key passed on the command line for the malware to execute.[5]
Enterprise T1041 Exfiltration Over C2 Channel

BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure.[4]
Enterprise T1567 Exfiltration Over Web Service

BlackByte has used services such as anonymfiles.com and file.io to exfiltrate victim data.[2]
Enterprise T1190 Exploit Public-Facing Application

BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments.[1][2][3][4]
Enterprise T1068 Exploitation for Privilege Escalation

BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation.[5]
Enterprise T1562 Impair Defenses

BlackByte removed Kernel Notify Routines to bypass endpoint detection and response (EDR) products.[3]
.001 Disable or Modify Tools

BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.[1][2][5]
.004 Disable or Modify System Firewall

BlackByte modified firewall rules on victim machines to enable remote system discovery.[2][3]
Enterprise T1070 .004 Indicator Removal: File Deletion

BlackByte deleted ransomware executables post-encryption.[2][3][4][5]
Enterprise T1105 Ingress Tool Transfer

BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.[4]
Enterprise T1490 Inhibit System Recovery

BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption.[2][3]
Enterprise T1570 Lateral Tool Transfer

BlackByte transfered tools such as Cobalt Strike and the AnyDesk remote access tool during operations using SMB shares.[2]
Enterprise T1036 .008 Masquerading: Masquerade File Type

BlackByte masqueraded configuration files containing encryption keys as PNG files.[1]
Enterprise T1112 Modify Registry

BlackByte performed Registry modifications to escalate privileges and disable security tools.[2][5]
Enterprise T1046 Network Service Discovery

BlackByte has used tools such as NetScan to enumerate network services in victim environments.[4]
Enterprise T1135 Network Share Discovery

BlackByte enumerated network shares on victim devices.[5]
Enterprise T1003 OS Credential Dumping

BlackByte used tools such as Cobalt Strike and Mimikatz to dump credentials from victim systems.[2][4]
Enterprise T1055 Process Injection

BlackByte has injected Cobalt Strike into wuauclt.exe during intrusions.[2] BlackByte has injected ransomware into svchost.exe before encryption.[3]
.012 Process Hollowing

BlackByte used process hollowing for defense evasion purposes.[4]
Enterprise T1012 Query Registry

BlackByte queried registry values to determine system language settings.[2]
Enterprise T1219 Remote Access Tools

BlackByte has used tools such as AnyDesk in victim environments.[2][4]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

BlackByte has used RDP to access other hosts within victim networks.[4][5]
.002 Remote Services: SMB/Windows Admin Shares

BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.[2][4][5]
Enterprise T1018 Remote System Discovery

BlackByte used tools such as Arp to identify remotely-connected devices.[1][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BlackByte created scheduled tasks for payload execution.[1][2]
Enterprise T1505 .003 Server Software Component: Web Shell

BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.[2][4]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

BlackByte enumerated installed security products during operations.[4]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.[4]
Enterprise T1082 System Information Discovery

BlackByte used various system commands and tools to pull system information during operations.[1][3][4]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

BlackByte identified system language settings to determine follow-on execution.[2]
Enterprise T1016 System Network Configuration Discovery

BlackByte used tools such as Arp to pull system network information and identify connected devices.[1][4]
Enterprise T1569 .002 System Services: Service Execution

BlackByte created malicious services for ransomware execution.[3][5]
Enterprise T1078 Valid Accounts

BlackByte has gained access to victim environments through legitimate VPN credentials.[5]
.002 Domain Accounts

BlackByte captured credentials for or impersonated domain administration users.[4][5]
Enterprise T1047 Windows Management Instrumentation

BlackByte used WMI to delete Volume Shadow Copies on victim machines.[1]

Software

ID Name References Techniques
S0552 AdFind BlackByte used AdFind during operations.[3][4] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0099 Arp BlackByte used Arp to identify connected hosts in victim networks.[1] Remote System Discovery, System Network Configuration Discovery
S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomware is ransomware uniquely associated with BlackByte operations and is a replacement for BlackByte Ransomware.[4] Data Encrypted for Impact, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Inhibit System Recovery, Modify Registry, Network Share Discovery, Process Injection, Service Stop, System Services: Service Execution
S1180 BlackByte Ransomware BlackByte Ransomware is ransomware uniquely associated with BlackByte operations prior to 2023.[4][6] Command and Scripting Interpreter: JavaScript, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Execution Guardrails, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Impair Defenses: Downgrade Attack, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Lateral Tool Transfer, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Query Registry, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Information Discovery, System Location Discovery: System Language Discovery, Virtualization/Sandbox Evasion: System Checks
S0154 Cobalt Strike BlackByte has used Cobalt Strike as a post-exploitation tool.[2][4] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S1179 Exbyte BlackByte used Exbyte for automated file collection and exfiltration.[3][4] Deobfuscate/Decode Files or Information, Execution Guardrails, Exfiltration Over Web Service, File and Directory Discovery, Indicator Removal: File Deletion, Native API, Permission Groups Discovery: Local Groups, Software Discovery: Security Software Discovery, Virtualization/Sandbox Evasion: System Checks
S0002 Mimikatz BlackByte has used Mimikatz for credential dumping during operations.[4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec BlackByte has used PsExec to remotely execute payloads during wormable ransomware execution.[4] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References

  1. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  2. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  3. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  1. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  2. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  3. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.