Introduction
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America. FBI BlackByte 2022 Picus BlackByte 2022 Symantec BlackByte 2022 Microsoft BlackByte 2023 Cisco BlackByte 2024
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1082 System Information Discovery
- T1016 System Network Configuration Discovery
- T1046 Network Service Discovery
- T1105 Ingress Tool Transfer
- T1482 Domain Trust Discovery
- T1686 Disable or Modify System Firewall
- T1036.008 Masquerade File Type
- T1053.005 Scheduled Task
- T1134.003 Make and Impersonate Token
- T1070.004 File Deletion
- T1543.003 Windows Service
- T1021.001 Remote Desktop Protocol
- T1685 Disable or Modify Tools
- T1614.001 System Language Discovery
- T1560 Archive Collected Data
- T1059.003 Windows Command Shell
- T1136.002 Domain Account
- T1112 Modify Registry
- T1055.012 Process Hollowing
- T1491.001 Internal Defacement
- T1071.001 Web Protocols
- T1087.002 Domain Account
- T1570 Lateral Tool Transfer
- T1583.003 Virtual Private Server
- T1190 Exploit Public-Facing Application
- T1608.001 Upload Malware
- T1490 Inhibit System Recovery
- T1012 Query Registry
- T1059.001 PowerShell
- T1041 Exfiltration Over C2 Channel
- T1003 OS Credential Dumping
- T1569.002 Service Execution
- T1135 Network Share Discovery
- T1140 Deobfuscate/Decode Files or Information
- T1068 Exploitation for Privilege Escalation
- T1505.003 Web Shell
- T1078 Valid Accounts
- T1567 Exfiltration Over Web Service
- T1055 Process Injection
- T1021.002 SMB/Windows Admin Shares
- T1078.002 Domain Accounts
- T1547.001 Registry Run Keys / Startup Folder
- T1480 Execution Guardrails
- T1486 Data Encrypted for Impact
- T1518.001 Security Software Discovery
- T1219 Remote Access Tools
- T1047 Windows Management Instrumentation
- T1018 Remote System Discovery
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Virtualization | VMware | ESXi | CVE-2024-37085 |
ATT&CK technique IDs (denormalized)
- T1003
- T1012
- T1016
- T1018
- T1021.001
- T1021.002
- T1036.008
- T1041
- T1046
- T1047
- T1053.005
- T1055
- T1055.012
- T1059.001
- T1059.003
- T1068
- T1070.004
- T1071.001
- T1078
- T1078.002
- T1082
- T1087.002
- T1105
- T1112
- T1134.003
- T1135
- T1136.002
- T1140
- T1190
- T1219
- T1480
- T1482
- T1486
- T1490
- T1491.001
- T1505.003
- T1518.001
- T1543.003
- T1547.001
- T1560
- T1567
- T1569.002
- T1570
- T1583.003
- T1608.001
- T1614.001
- T1685
- T1686
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- BlackEnergy:
- BLACKCOFFEE:
- Blackshades:
- BlackNix:
- CyberGate:
- Cyber Eye RAT:
- BlackHole:
- CrossRat:
- Virus RAT:
- Windows Remote Desktop:
- Net Devil:
MITRE ATT&CK Software
- AdFind (S0552) — tool
- BlackByte Ransomware (S1180) — malware
- Exbyte (S1179) — malware
- Arp (S0099) — tool
- BlackByte 2.0 Ransomware (S1181) — malware
- PsExec (S0029) — tool
- Cobalt Strike (S0154) — malware
- Mimikatz (S0002) — tool
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Defense Evasion | Dell Client driver (BYOVD), GIGABYTE Motherboard driver (BYOVD), MSI Afterburner driver (BYOVD), Zemana Anti-Rootkit driver |
| Discovery | PowerView, SoftPerfect NetScan |
| OffSec | Cobalt Strike, PowerShell Empire |
| RMM Tools | AnyDesk |
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [3] Picus BlackByte 2022 Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. [4] Cisco BlackByte 2024 James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024. [5] Microsoft BlackByte 2023 Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. [6] Symantec BlackByte 2022 Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. [7] FBI BlackByte 2022 US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.