BlackByte | APT Profile

Description

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) use more robust encryption mechanisms. [BlackByte](https://attack.mitre.org/groups/G1043) is notable for operations targeting critical infrastructure entities among other targets across North America.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)

Techniques Used (TTPs)

T1082 — System Information Discovery (discovery)
T1016 — System Network Configuration Discovery (discovery)
T1046 — Network Service Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1482 — Domain Trust Discovery (discovery)
T1036.008 — Masquerade File Type (defense-evasion)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1134.003 — Make and Impersonate Token (defense-evasion, privilege-escalation)
T1070.004 — File Deletion (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1614.001 — System Language Discovery (discovery)
T1560 — Archive Collected Data (collection)
T1059.003 — Windows Command Shell (execution)
T1136.002 — Domain Account (persistence)
T1112 — Modify Registry (defense-evasion, persistence)
T1055.012 — Process Hollowing (defense-evasion, privilege-escalation)
T1491.001 — Internal Defacement (impact)
T1071.001 — Web Protocols (command-and-control)
T1087.002 — Domain Account (discovery)
T1570 — Lateral Tool Transfer (lateral-movement)
T1583.003 — Virtual Private Server (resource-development)
T1190 — Exploit Public-Facing Application (initial-access)
T1608.001 — Upload Malware (resource-development)
T1562 — Impair Defenses (defense-evasion)
T1490 — Inhibit System Recovery (impact)
T1012 — Query Registry (discovery)
T1059.001 — PowerShell (execution)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1003 — OS Credential Dumping (credential-access)
T1569.002 — Service Execution (execution)
T1135 — Network Share Discovery (discovery)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1505.003 — Web Shell (persistence)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1567 — Exfiltration Over Web Service (exfiltration)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1480 — Execution Guardrails (defense-evasion)
T1486 — Data Encrypted for Impact (impact)
T1518.001 — Security Software Discovery (discovery)
T1219 — Remote Access Tools (command-and-control)
T1047 — Windows Management Instrumentation (execution)
T1018 — Remote System Discovery (discovery)
T1562.004 — Disable or Modify System Firewall (defense-evasion)

Total TTPs: 49

Malware & Tools

Malware: BlackByte 2.0 Ransomware, BlackByte Ransomware, Cobalt Strike, Exbyte

Tools: AdFind, Arp, Mimikatz, PsExec

← Return to Home ← Back to APT Search