S1181 BlackByte 2.0 Ransomware
BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, BlackByte 2.0 Ransomware does not have a common key for victim decryption. BlackByte 2.0 Ransomware remains uniquely associated with BlackByte operations.1
| Item | Value |
|---|---|
| ID | S1181 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 December 2024 |
| Last Modified | 09 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | BlackByte 2.0 Ransomware is a ransomware variant associated with BlackByte operations.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | BlackByte 2.0 Ransomware exploits a vulnerability in the RTCore64.sys driver (CVE-2019-16098) to enable privilege escalation and defense evasion when run as a service.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | BlackByte 2.0 Ransomware modifies the Windows firewall during execution.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | BlackByte 2.0 Ransomware deletes itself following device encryption.1 |
| enterprise | T1070.006 | Timestomp | BlackByte 2.0 Ransomware can timestomp files for defense evasion and anti-forensics purposes.1 |
| enterprise | T1490 | Inhibit System Recovery | BlackByte 2.0 Ransomware modifies volume shadow copies during execution in a way that destroys them on the victim machine.1 |
| enterprise | T1112 | Modify Registry | BlackByte 2.0 Ransomware modifies the victim Registry to allow for elevated execution.1 |
| enterprise | T1135 | Network Share Discovery | BlackByte 2.0 Ransomware can identify network shares connected to the victim machine.1 |
| enterprise | T1055 | Process Injection | BlackByte 2.0 Ransomware injects into a newly-created svchost.exe process prior to device encryption.1 |
| enterprise | T1489 | Service Stop | BlackByte 2.0 Ransomware can terminate running services.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | BlackByte 2.0 Ransomware executes as a service when deployed.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1043 | BlackByte | BlackByte 2.0 Ransomware is ransomware uniquely associated with BlackByte operations and is a replacement for BlackByte Ransomware.1 |