S1180 BlackByte Ransomware
BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor.34 BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.21
| Item | Value |
|---|---|
| ID | S1180 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 December 2024 |
| Last Modified | 17 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | BlackByte Ransomware is distributed as a JavaScript launcher file.3 |
| enterprise | T1486 | Data Encrypted for Impact | BlackByte Ransomware is ransomware using a shared key across victims for encryption.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file.3 |
| enterprise | T1480 | Execution Guardrails | BlackByte Ransomware creates a mutex value with a hard-coded name, and terminates if that mutex already exists on the victim system. BlackByte Ransomware checks the system language to see if it matches one of a list of hard-coded values; if a match is found, the malware will terminate.3 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | BlackByte Ransomware uses the mountvol.exe command to mount volume names and leverages the Microsoft Discretionary Access Control List tool, icacls.exe, to grant the group to “Everyone” full access to the root of the drive.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | BlackByte Ransomware adds .JS and .EXE extensions to the Microsoft Defender exclusion list. BlackByte Ransomware terminates and removes the Raccine anti-ransomware utility.3 |
| enterprise | T1562.010 | Downgrade Attack | BlackByte Ransomware enables SMBv1 during execution.3 |
| enterprise | T1490 | Inhibit System Recovery | BlackByte Ransomware deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment.3 |
| enterprise | T1570 | Lateral Tool Transfer | BlackByte Ransomware spreads itself laterally by writing the JavaScript launcher file to mapped shared folders.3 |
| enterprise | T1112 | Modify Registry | BlackByte Ransomware modifies the victim Registry to prevent system recovery.3 |
| enterprise | T1106 | Native API | BlackByte Ransomware uses the SetThreadExecutionState API to prevent the victim system from entering sleep.3 |
| enterprise | T1046 | Network Service Discovery | BlackByte Ransomware identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads.3 |
| enterprise | T1135 | Network Share Discovery | BlackByte Ransomware can identify network shares connected to the victim machine.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | BlackByte Ransomware is distributed as an encrypted payload.3 |
| enterprise | T1012 | Query Registry | BlackByte Ransomware enumerates the Registry, specifically the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | BlackByte Ransomware uses mapped shared folders to transfer ransomware payloads via SMB.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BlackByte Ransomware creates a schedule task to execute remotely deployed ransomware payloads.3 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | BlackByte Ransomware looks for security software products prior to full execution.3 |
| enterprise | T1082 | System Information Discovery | BlackByte Ransomware gathers victim system information to generate a unique victim identifier.3 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | BlackByte Ransomware identifies the language on the victim system.3 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | BlackByte Ransomware checks for files related to known sandboxes.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1043 | BlackByte | BlackByte Ransomware is ransomware uniquely associated with BlackByte operations prior to 2023.23 |
References
-
James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024. ↩
-
Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. ↩↩
-
Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024. ↩