1. Home
  2. Software
  3. BlackByte Ransomware

BlackByte Ransomware

BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor.[1][2] BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.[3][4]

ID: S1180
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 17 December 2024
Last Modified: 17 December 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

BlackByte Ransomware is distributed as a JavaScript launcher file.[1]
Enterprise T1486 Data Encrypted for Impact

BlackByte Ransomware is ransomware using a shared key across victims for encryption.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file.[1]
Enterprise T1480 Execution Guardrails

BlackByte Ransomware creates a mutex value with a hard-coded name, and terminates if that mutex already exists on the victim system. BlackByte Ransomware checks the system language to see if it matches one of a list of hard-coded values; if a match is found, the malware will terminate.[1]
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

BlackByte Ransomware uses the mountvol.exe command to mount volume names and leverages the Microsoft Discretionary Access Control List tool, icacls.exe, to grant the group to "Everyone" full access to the root of the drive.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

BlackByte Ransomware adds .JS and .EXE extensions to the Microsoft Defender exclusion list. BlackByte Ransomware terminates and removes the Raccine anti-ransomware utility.[1]
.010 Impair Defenses: Downgrade Attack

BlackByte Ransomware enables SMBv1 during execution.[1]
Enterprise T1490 Inhibit System Recovery

BlackByte Ransomware deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment.[1]
Enterprise T1570 Lateral Tool Transfer

BlackByte Ransomware spreads itself laterally by writing the JavaScript launcher file to mapped shared folders.[1]
Enterprise T1112 Modify Registry

BlackByte Ransomware modifies the victim Registry to prevent system recovery.[1]
Enterprise T1106 Native API

BlackByte Ransomware uses the SetThreadExecutionState API to prevent the victim system from entering sleep.[1]
Enterprise T1046 Network Service Discovery

BlackByte Ransomware identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads.[1]
Enterprise T1135 Network Share Discovery

BlackByte Ransomware can identify network shares connected to the victim machine.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

BlackByte Ransomware is distributed as an encrypted payload.[1]
Enterprise T1012 Query Registry

BlackByte Ransomware enumerates the Registry, specifically the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key.[1]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

BlackByte Ransomware uses mapped shared folders to transfer ransomware payloads via SMB.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BlackByte Ransomware creates a schedule task to execute remotely deployed ransomware payloads.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

BlackByte Ransomware looks for security software products prior to full execution.[1]
Enterprise T1082 System Information Discovery

BlackByte Ransomware gathers victim system information to generate a unique victim identifier.[1]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

BlackByte Ransomware identifies the language on the victim system.[1]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

BlackByte Ransomware checks for files related to known sandboxes.[1]

Groups That Use This Software

ID Name References
G1043 BlackByte

BlackByte Ransomware is ransomware uniquely associated with BlackByte operations prior to 2023.[3][1]

References

  1. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  2. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  1. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  2. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.