Skip to content

T1490 Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.42 This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.42 Furthermore, adversaries may disable recovery notifications, then corrupt backups.9

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
  • diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all 5 6

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

On ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support Data Encrypted for Impact, preventing them from being leveraged as backups (e.g., via vim-cmd vmsvc/snapshot.removeall).3

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.8 In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.17

Item Value
ID T1490
Sub-techniques
Tactics TA0040
Platforms Containers, ESXi, IaaS, Linux, Network Devices, Windows, macOS
Version 1.6
Created 02 April 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1129 Akira Akira will delete system volume shadow copies via PowerShell commands.6766
S0640 Avaddon Avaddon deletes backups and shadow copies using native system tools.4647
S0638 Babuk Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.5657
S1136 BFG Agonizer BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery.69
S0570 BitPaymer BitPaymer attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet.58
S1070 Black Basta Black Basta can delete shadow copies using vssadmin.exe.22161814192117202015
G1043 BlackByte BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption.100101
S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomware modifies volume shadow copies during execution in a way that destroys them on the victim machine.45
S1180 BlackByte Ransomware BlackByte Ransomware deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment.59
S1068 BlackCat BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.95
S0611 Clop Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.68
S0608 Conficker Conficker resets system restore points and deletes backup files.72
S0575 Conti Conti can delete Windows Volume Shadow Copies using vssadmin.65
S1111 DarkGate DarkGate can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet”.49
S0673 DarkWatchman DarkWatchman can delete shadow volumes using vssadmin.exe.32
S0616 DEATHRANSOM DEATHRANSOM can delete volume shadow copies on compromised hosts.41
S0659 Diavol Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.84
S0605 EKANS EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.3738
S1247 Embargo Embargo has cleared files from the recycle bin by invoking SHEmptyRecycleBinW() and disabled Windows recovery through C:\Windows\System32\cmd.exe /q /c bcdedit /set {default} recoveryenabled no.55
S0618 FIVEHANDS FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.4164
S0132 H1N1 H1N1 disable recovery options and deletes shadow copies from the victim.29
S0617 HELLOKITTY HELLOKITTY can delete volume shadow copies on compromised hosts.41
S0697 HermeticWiper HermeticWiper can disable the VSS service on a compromised host using the service control manager.525150
S1139 INC Ransomware INC Ransomware can delete volume shadow copy backups from victim machines.39
S0260 InvisiMole InvisiMole can can remove all system restore points.24
S0389 JCry JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.91
S1199 LockBit 2.0 LockBit 2.0 has the ability to delete volume shadow copies on targeted hosts.9796
S1202 LockBit 3.0 LockBit 3.0 can delete volume shadow copies.888990
S0449 Maze Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.8283
G1051 Medusa Group Medusa Group has deleted recovery files such as shadow copies using vssadmin.exe.33343536
S1244 Medusa Ransomware Medusa Ransomware has deleted recovery files such as shadow copies using vssadmin.exe.33343536
S0576 MegaCortex MegaCortex has deleted volume shadow copies using vssadmin.exe.40
S0688 Meteor Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.70
S1135 MultiLayer Wiper MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery.69
S0457 Netwalker Netwalker can delete the infected system’s Shadow Volumes to prevent recovery.6061
S0365 Olympic Destroyer Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.4
S1162 Playcrypt Playcrypt can use AlphaVSS to delete shadow copies.25
S1058 Prestige Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.48
S0654 ProLock ProLock can use vssadmin.exe to remove volume shadow copies.94
S0583 Pysa Pysa has the functionality to delete shadow copies.71
S1242 Qilin Qilin can execute vssadmin.exe delete shadows /all /quiet to remove volume shadow copies.878685
S0481 Ragnar Locker Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.23
S1212 RansomHub RansomHub has used vssadmin.exe to delete volume shadow copies.6362
S0496 REvil REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.777580737876797481
S1150 ROADSWEEP ROADSWEEP has the ability to disable SystemRestore and Volume Shadow Copies.9392
S0400 RobbinHood RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.30
S1073 Royal Royal can delete shadow copy backups with vssadmin.exe using the command delete shadows /all /quiet.434442
S0446 Ryuk Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.31
G0034 Sandworm Team Sandworm Team uses Prestige to delete the backup catalog from the target system using: C:\Windows\System32\wbadmin.exe delete catalog -quiet and to delete volume shadow copies using: C:\Windows\System32\vssadmin.exe delete shadows /all /quiet. 48
G1015 Scattered Spider Scattered Spider has stopped the Volume Shadow Copy service on compromised hosts.102
G1053 Storm-0501 Storm-0501 has deleted snapshots, restore points, storage accounts, and backup services to prevent remediation and restoration.98 Storm-0501 has also impacted Azure resources through the targeting of Microsoft.Compute/snapshots/delete,
Microsoft.Compute/restorePointCollections/delete,
Microsoft.Storage/storageAccounts/delete, and
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete.98
S0366 WannaCry WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.54253
S0612 WastedLocker WastedLocker can delete shadow volumes.262728
G0102 Wizard Spider Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.99

Mitigations

ID Mitigation Description
M1053 Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.13 Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects where possible, and copy backups to other accounts or regions to isolate them from the original copies.11 On ESXi servers, ensure that disk images and snapshots of virtual machines are regularly taken, with copies stored off system.12
M1038 Execution Prevention Consider using application control configured to block execution of utilities such as diskshadow.exe that may not be required for a given system or network to prevent potential misuse by adversaries.
M1028 Operating System Configuration Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.10
M1018 User Account Management Limit the user accounts that have access to backups to only those required. In AWS environments, consider using Service Control Policies to restrict API calls to delete backups, snapshots, and images.

References

  1. Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023. 

  2. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. 

  3. Cybereason Nocturnus. (n.d.). Cybereason vs. BlackCat Ransomware. Retrieved March 26, 2025. 

  4. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. 

  5. Microsoft Windows Server. (2023, February 3). Diskshadow. Retrieved November 21, 2023. 

  6. Romain Dumont . (2022, September 21). Technical Analysis of Crytox Ransomware. Retrieved November 22, 2023. 

  7. Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023. 

  8. Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023. 

  9. TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved September 12, 2024. 

  10. Microsoft, EliotSeattle, et al. (2022, August 18). REAgentC command-line options. Retrieved October 19, 2022. 

  11. Jay Chen. (2022, May 16). A Look Into Public Clouds From the Ransomware Actor’s Perspective. Retrieved March 21, 2023. 

  12. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025. 

  13. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019. 

  14. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. 

  15. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  16. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. 

  17. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. 

  18. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023. 

  19. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. 

  20. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023. 

  21. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  22. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  23. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  24. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  25. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. 

  26. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  27. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  28. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021. 

  29. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024. 

  30. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. 

  31. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  32. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  33. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025. 

  34. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025. 

  35. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025. 

  36. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  37. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. 

  38. Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021. 

  39. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. 

  40. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  41. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  42. CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023. 

  43. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  44. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. 

  45. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  46. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021. 

  47. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  48. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  49. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  50. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  51. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  52. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  53. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. 

  54. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024. 

  55. Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025. 

  56. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  57. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  58. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  59. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. 

  60. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  61. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  62. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025. 

  63. CISA et al. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved March 17, 2025. 

  64. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  65. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  66. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. 

  67. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. 

  68. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  69. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. 

  70. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  71. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  72. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  73. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. 

  74. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  75. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  76. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  77. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. 

  78. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  79. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  80. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  81. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024. 

  82. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  83. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  84. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  85. Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025. 

  86. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025. 

  87. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025. 

  88. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025. 

  89. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  90. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025. 

  91. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. 

  92. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. 

  93. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  94. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024. 

  95. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  96. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025. 

  97. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. 

  98. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025. 

  99. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  100. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. 

  101. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. 

  102. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.