Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа BlackByte
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
BlackByte
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
ID: G1043
Associated Groups: Hecamede
Created: 16 Dec 2024
Last Modified: 09 Mar 2025

Associated Group Descriptions
Name Description
Hecamede (Citation: Symantec BlackByte 2022)

Techniques Used
Domain ID Name Use
Enterprise T1134 .003 Access Token Manipulation: Make and Impersonate Token

BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.(Citation: Microsoft BlackByte 2023)
Enterprise T1087 .002 Account Discovery: Domain Account

BlackByte has used tools such as AdFind to identify and enumerate domain accounts.(Citation: Microsoft BlackByte 2023)
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

BlackByte staged encryption keys on virtual private servers operated by the adversary.(Citation: FBI BlackByte 2022)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.(Citation: Microsoft BlackByte 2023)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BlackByte has used Registry Run keys for persistence.(Citation: Microsoft BlackByte 2023)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BlackByte used encoded PowerShell commands during operations.(Citation: FBI BlackByte 2022) BlackByte has used remote PowerShell commands in victim networks.(Citation: Microsoft BlackByte 2023)
.003 Command and Scripting Interpreter: Windows Command Shell

BlackByte executed ransomware using the Windows command shell.(Citation: FBI BlackByte 2022)

Enterprise T1136 .002 Create Account: Domain Account

BlackByte created privileged domain accounts during intrusions.(Citation: Cisco BlackByte 2024)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

BlackByte modified multiple services on victim machines to enable encryption operations.(Citation: Symantec BlackByte 2022) BlackByte has installed tools such as AnyDesk as a service on victim machines.(Citation: Microsoft BlackByte 2023)
Enterprise T1491 .001 Defacement: Internal Defacement

BlackByte left ransom notes in all directories where encryption takes place.(Citation: FBI BlackByte 2022)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Cisco BlackByte 2024)
.004 Impair Defenses: Disable or Modify System Firewall

BlackByte modified firewall rules on victim machines to enable remote system discovery.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)

Enterprise T1070 .004 Indicator Removal: File Deletion

BlackByte deleted ransomware executables post-encryption.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
Enterprise T1036 .008 Masquerading: Masquerade File Type

BlackByte masqueraded configuration files containing encryption keys as PNG files.(Citation: FBI BlackByte 2022)
Enterprise T1055 .012 Process Injection: Process Hollowing

BlackByte used process hollowing for defense evasion purposes.(Citation: Microsoft BlackByte 2023)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

BlackByte has used RDP to access other hosts within victim networks.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
.002 Remote Services: SMB/Windows Admin Shares

BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.(Citation: Picus BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BlackByte created scheduled tasks for payload execution.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)
Enterprise T1505 .003 Server Software Component: Web Shell

BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.(Citation: Picus BlackByte 2022)(Citation: Microsoft BlackByte 2023)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

BlackByte enumerated installed security products during operations.(Citation: Microsoft BlackByte 2023)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.(Citation: Microsoft BlackByte 2023)
Enterprise T1614 .001 System Location Discovery: System Language Discovery

BlackByte identified system language settings to determine follow-on execution.(Citation: Picus BlackByte 2022)
Enterprise T1569 .002 System Services: Service Execution

BlackByte created malicious services for ransomware execution.(Citation: Symantec BlackByte 2022)(Citation: Cisco BlackByte 2024)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

BlackByte captured credentials for or impersonated domain administration users.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)

Software
ID Name References Techniques
S0099 Arp (Citation: FBI BlackByte 2022) (Citation: TechNet Arp) Remote System Discovery, System Network Configuration Discovery
S1181 BlackByte 2.0 Ransomware (Citation: Microsoft BlackByte 2023) Timestomp, Disable or Modify System Firewall, Modify Registry, Data Encrypted for Impact, Inhibit System Recovery, Exploitation for Privilege Escalation, Network Share Discovery, Service Stop, File Deletion, Service Execution, Process Injection
S1179 Exbyte (Citation: Microsoft BlackByte 2023) (Citation: Symantec BlackByte 2022) Native API, Execution Guardrails, Local Groups, Deobfuscate/Decode Files or Information, File and Directory Discovery, Security Software Discovery, File Deletion, System Checks, Exfiltration Over Web Service
S1180 BlackByte Ransomware (Citation: Cisco BlackByte 2024) (Citation: FBI BlackByte 2022) (Citation: Microsoft BlackByte 2023) (Citation: Trustwave BlackByte 2021) Network Share Discovery, Data Encrypted for Impact, Query Registry, JavaScript, Lateral Tool Transfer, System Information Discovery, Scheduled Task, Inhibit System Recovery, Network Service Discovery, Encrypted/Encoded File, Downgrade Attack, Native API, Windows File and Directory Permissions Modification, Modify Registry, Execution Guardrails, Deobfuscate/Decode Files or Information, Disable or Modify Tools, SMB/Windows Admin Shares, System Language Discovery, Security Software Discovery, System Checks
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Microsoft BlackByte 2023) (Citation: Picus BlackByte 2022) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Microsoft BlackByte 2023) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Microsoft BlackByte 2023) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Symantec BlackByte 2022) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: Microsoft BlackByte 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  2. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  3. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  4. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  5. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  6. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.