Skip to content

G1043 BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.51432

Item Value
ID G1043
Associated Names Hecamede
Version 1.0
Created 16 December 2024
Last Modified 09 March 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Hecamede 4

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.003 Make and Impersonate Token BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.3
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account BlackByte has used tools such as AdFind to identify and enumerate domain accounts.3
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server BlackByte staged encryption keys on virtual private servers operated by the adversary.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.3
enterprise T1560 Archive Collected Data BlackByte compressed data collected from victim environments prior to exfiltration.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BlackByte has used Registry Run keys for persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell BlackByte used encoded PowerShell commands during operations.5 BlackByte has used remote PowerShell commands in victim networks.3
enterprise T1059.003 Windows Command Shell BlackByte executed ransomware using the Windows command shell.5
enterprise T1136 Create Account -
enterprise T1136.002 Domain Account BlackByte created privileged domain accounts during intrusions.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service BlackByte modified multiple services on victim machines to enable encryption operations.4 BlackByte has installed tools such as AnyDesk as a service on victim machines.3
enterprise T1486 Data Encrypted for Impact BlackByte has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for encryption, but later versions use unique keys per victim.51432
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement BlackByte left ransom notes in all directories where encryption takes place.5
enterprise T1140 Deobfuscate/Decode Files or Information BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell.5 BlackByte uses PowerShell commands to disable Windows Defender.1
enterprise T1482 Domain Trust Discovery BlackByte enumerated Active Directory information and trust relationships during operations.53
enterprise T1480 Execution Guardrails BlackByte stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics.1 BlackByte has used ransomware variants requiring a key passed on the command line for the malware to execute.2
enterprise T1041 Exfiltration Over C2 Channel BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure.3
enterprise T1567 Exfiltration Over Web Service BlackByte has used services such as anonymfiles.com and file.io to exfiltrate victim data.1
enterprise T1190 Exploit Public-Facing Application BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments.5143
enterprise T1068 Exploitation for Privilege Escalation BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation.2
enterprise T1562 Impair Defenses BlackByte removed Kernel Notify Routines to bypass endpoint detection and response (EDR) products.4
enterprise T1562.001 Disable or Modify Tools BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.512
enterprise T1562.004 Disable or Modify System Firewall BlackByte modified firewall rules on victim machines to enable remote system discovery.14
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion BlackByte deleted ransomware executables post-encryption.1432
enterprise T1105 Ingress Tool Transfer BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.3
enterprise T1490 Inhibit System Recovery BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption.14
enterprise T1570 Lateral Tool Transfer BlackByte transfered tools such as Cobalt Strike and the AnyDesk remote access tool during operations using SMB shares.1
enterprise T1036 Masquerading -
enterprise T1036.008 Masquerade File Type BlackByte masqueraded configuration files containing encryption keys as PNG files.5
enterprise T1112 Modify Registry BlackByte performed Registry modifications to escalate privileges and disable security tools.12
enterprise T1046 Network Service Discovery BlackByte has used tools such as NetScan to enumerate network services in victim environments.3
enterprise T1135 Network Share Discovery BlackByte enumerated network shares on victim devices.2
enterprise T1003 OS Credential Dumping BlackByte used tools such as Cobalt Strike and Mimikatz to dump credentials from victim systems.13
enterprise T1055 Process Injection BlackByte has injected Cobalt Strike into wuauclt.exe during intrusions.1 BlackByte has injected ransomware into svchost.exe before encryption.4
enterprise T1055.012 Process Hollowing BlackByte used process hollowing for defense evasion purposes.3
enterprise T1012 Query Registry BlackByte queried registry values to determine system language settings.1
enterprise T1219 Remote Access Tools BlackByte has used tools such as AnyDesk in victim environments.13
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol BlackByte has used RDP to access other hosts within victim networks.32
enterprise T1021.002 SMB/Windows Admin Shares BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.132
enterprise T1018 Remote System Discovery BlackByte used tools such as Arp to identify remotely-connected devices.51
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task BlackByte created scheduled tasks for payload execution.51
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.13
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery BlackByte enumerated installed security products during operations.3
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.3
enterprise T1082 System Information Discovery BlackByte used various system commands and tools to pull system information during operations.543
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery BlackByte identified system language settings to determine follow-on execution.1
enterprise T1016 System Network Configuration Discovery BlackByte used tools such as Arp to pull system network information and identify connected devices.53
enterprise T1569 System Services -
enterprise T1569.002 Service Execution BlackByte created malicious services for ransomware execution.42
enterprise T1078 Valid Accounts BlackByte has gained access to victim environments through legitimate VPN credentials.2
enterprise T1078.002 Domain Accounts BlackByte captured credentials for or impersonated domain administration users.32
enterprise T1047 Windows Management Instrumentation BlackByte used WMI to delete Volume Shadow Copies on victim machines.5

Software

ID Name References Techniques
S0552 AdFind BlackByte used AdFind during operations.43 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0099 Arp BlackByte used Arp to identify connected hosts in victim networks.5 Remote System Discovery System Network Configuration Discovery
S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomware is ransomware uniquely associated with BlackByte operations and is a replacement for BlackByte Ransomware.3 Data Encrypted for Impact Exploitation for Privilege Escalation Disable or Modify System Firewall:Impair Defenses Timestomp:Indicator Removal File Deletion:Indicator Removal Inhibit System Recovery Modify Registry Network Share Discovery Process Injection Service Stop Service Execution:System Services
S1180 BlackByte Ransomware BlackByte Ransomware is ransomware uniquely associated with BlackByte operations prior to 2023.36 JavaScript:Command and Scripting Interpreter Data Encrypted for Impact Deobfuscate/Decode Files or Information Execution Guardrails Windows File and Directory Permissions Modification:File and Directory Permissions Modification Downgrade Attack:Impair Defenses Disable or Modify Tools:Impair Defenses Inhibit System Recovery Lateral Tool Transfer Modify Registry Native API Network Service Discovery Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Query Registry SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery System Information Discovery System Language Discovery:System Location Discovery System Checks:Virtualization/Sandbox Evasion
S0154 Cobalt Strike BlackByte has used Cobalt Strike as a post-exploitation tool.13 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1179 Exbyte BlackByte used Exbyte for automated file collection and exfiltration.43 Deobfuscate/Decode Files or Information Execution Guardrails Exfiltration Over Web Service File and Directory Discovery File Deletion:Indicator Removal Native API Local Groups:Permission Groups Discovery Security Software Discovery:Software Discovery System Checks:Virtualization/Sandbox Evasion
S0002 Mimikatz BlackByte has used Mimikatz for credential dumping during operations.3 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0029 PsExec BlackByte has used PsExec to remotely execute payloads during wormable ransomware execution.3 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References

  1. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. 

  2. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024. 

  3. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  4. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. 

  5. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024. 

  6. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.