Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа BlackByte
Риски
Каталоги
MITRE ATT&CK
Преступная группа
BlackByte
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
ID: G1043
Associated Groups: Hecamede
Version: 1.0
Created: 16 Dec 2024
Last Modified: 09 Mar 2025

Associated Group Descriptions
Name Description
Hecamede (Citation: Symantec BlackByte 2022)

Techniques Used
Domain ID Name Use
Enterprise T1134 .003 Access Token Manipulation: Make and Impersonate Token

BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.(Citation: Microsoft BlackByte 2023)
Enterprise T1087 .002 Account Discovery: Domain Account

BlackByte has used tools such as AdFind to identify and enumerate domain accounts.(Citation: Microsoft BlackByte 2023)
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

BlackByte staged encryption keys on virtual private servers operated by the adversary.(Citation: FBI BlackByte 2022)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.(Citation: Microsoft BlackByte 2023)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BlackByte has used Registry Run keys for persistence.(Citation: Microsoft BlackByte 2023)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BlackByte used encoded PowerShell commands during operations.(Citation: FBI BlackByte 2022) BlackByte has used remote PowerShell commands in victim networks.(Citation: Microsoft BlackByte 2023)
.003 Command and Scripting Interpreter: Windows Command Shell

BlackByte executed ransomware using the Windows command shell.(Citation: FBI BlackByte 2022)

Enterprise T1136 .002 Create Account: Domain Account

BlackByte created privileged domain accounts during intrusions.(Citation: Cisco BlackByte 2024)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

BlackByte modified multiple services on victim machines to enable encryption operations.(Citation: Symantec BlackByte 2022) BlackByte has installed tools such as AnyDesk as a service on victim machines.(Citation: Microsoft BlackByte 2023)
Enterprise T1491 .001 Defacement: Internal Defacement

BlackByte left ransom notes in all directories where encryption takes place.(Citation: FBI BlackByte 2022)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Cisco BlackByte 2024)
.004 Impair Defenses: Disable or Modify System Firewall

BlackByte modified firewall rules on victim machines to enable remote system discovery.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)

Enterprise T1070 .004 Indicator Removal: File Deletion

BlackByte deleted ransomware executables post-encryption.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
Enterprise T1036 .008 Masquerading: Masquerade File Type

BlackByte masqueraded configuration files containing encryption keys as PNG files.(Citation: FBI BlackByte 2022)
Enterprise T1055 .012 Process Injection: Process Hollowing

BlackByte used process hollowing for defense evasion purposes.(Citation: Microsoft BlackByte 2023)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

BlackByte has used RDP to access other hosts within victim networks.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
.002 Remote Services: SMB/Windows Admin Shares

BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.(Citation: Picus BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BlackByte created scheduled tasks for payload execution.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)
Enterprise T1505 .003 Server Software Component: Web Shell

BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.(Citation: Picus BlackByte 2022)(Citation: Microsoft BlackByte 2023)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

BlackByte enumerated installed security products during operations.(Citation: Microsoft BlackByte 2023)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.(Citation: Microsoft BlackByte 2023)
Enterprise T1614 .001 System Location Discovery: System Language Discovery

BlackByte identified system language settings to determine follow-on execution.(Citation: Picus BlackByte 2022)
Enterprise T1569 .002 System Services: Service Execution

BlackByte created malicious services for ransomware execution.(Citation: Symantec BlackByte 2022)(Citation: Cisco BlackByte 2024)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

BlackByte captured credentials for or impersonated domain administration users.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)

Software
ID Name References Techniques
S0099 Arp (Citation: FBI BlackByte 2022) (Citation: TechNet Arp) System Network Configuration Discovery, Remote System Discovery
S1181 BlackByte 2.0 Ransomware (Citation: Microsoft BlackByte 2023) Service Stop, Network Share Discovery, Process Injection, Timestomp, Disable or Modify System Firewall, Modify Registry, Exploitation for Privilege Escalation, Data Encrypted for Impact, File Deletion, Service Execution, Inhibit System Recovery
S1179 Exbyte (Citation: Microsoft BlackByte 2023) (Citation: Symantec BlackByte 2022) System Checks, Native API, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, File and Directory Discovery, Execution Guardrails, Local Groups, Security Software Discovery, File Deletion
S1180 BlackByte Ransomware (Citation: Cisco BlackByte 2024) (Citation: FBI BlackByte 2022) (Citation: Microsoft BlackByte 2023) (Citation: Trustwave BlackByte 2021) Scheduled Task, Encrypted/Encoded File, JavaScript, System Checks, Network Share Discovery, Windows File and Directory Permissions Modification, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, SMB/Windows Admin Shares, Modify Registry, Downgrade Attack, Execution Guardrails, Disable or Modify Tools, Data Encrypted for Impact, Lateral Tool Transfer, System Language Discovery, Query Registry, Security Software Discovery, Network Service Discovery, Inhibit System Recovery
S0154 Cobalt Strike (Citation: Microsoft BlackByte 2023) (Citation: Picus BlackByte 2022) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Microsoft BlackByte 2023) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Microsoft BlackByte 2023) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Symantec BlackByte 2022) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0029 PsExec (Citation: Microsoft BlackByte 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  2. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  3. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  4. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  5. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.