← threatfilter.dev / all groups / BlackByte
BlackByte
Also known as: Hecamede
Overview
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 4 attributed custom malware families
TTPs — 48 techniques across 14 tactics
Resource Development
-
T1583.003Virtual Private Server -
T1608.001Upload Malware
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1569.002Service Execution
Persistence
-
T1136.002Domain Account -
T1505.003Web Shell -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
Stealth
-
T1036.008Masquerade File Type -
T1055Process Injection -
T1055.012Process Hollowing -
T1070.004File Deletion -
T1078Valid Accounts -
T1078.002Domain Accounts -
T1134.003Make and Impersonate Token -
T1140Deobfuscate/Decode Files or Information -
T1480Execution Guardrails
Defense Impairment
-
T1112Modify Registry -
T1685Disable or Modify Tools -
T1686Disable or Modify System Firewall
Credential Access
-
T1003OS Credential Dumping
Discovery
-
T1012Query Registry -
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1046Network Service Discovery -
T1082System Information Discovery -
T1087.002Domain Account -
T1135Network Share Discovery -
T1482Domain Trust Discovery -
T1518.001Security Software Discovery -
T1614.001System Language Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.002SMB/Windows Admin Shares -
T1570Lateral Tool Transfer
Collection
-
T1560Archive Collected Data
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer -
T1219Remote Access Tools
Exfiltration
Impact
-
T1486Data Encrypted for Impact -
T1490Inhibit System Recovery -
T1491.001Internal Defacement
Tools & malware (8)
AdFind · BlackByte Ransomware · Exbyte · Arp · BlackByte 2.0 Ransomware · PsExec · Cobalt Strike · Mimikatz
Reporting (3)
- BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks — James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans
- The five-day job: A BlackByte ransomware intrusion case study — Microsoft Incident Response
- Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool — Symantec Threat Hunter Team