BlackByte Ransomware
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
BlackByte Ransomware is distributed as a JavaScript launcher file.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
BlackByte Ransomware uses the `mountvol.exe` command to mount volume names and leverages the Microsoft Discretionary Access Control List tool, `icacls.exe`, to grant the group to “Everyone” full access to the root of the drive.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
BlackByte Ransomware adds .JS and .EXE extensions to the Microsoft Defender exclusion list. BlackByte Ransomware terminates and removes the Raccine anti-ransomware utility.(Citation: Trustwave BlackByte 2021) |
.010 | Impair Defenses: Downgrade Attack |
BlackByte Ransomware enables SMBv1 during execution.(Citation: Trustwave BlackByte 2021) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
BlackByte Ransomware is distributed as an encrypted payload.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
BlackByte Ransomware uses mapped shared folders to transfer ransomware payloads via SMB.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BlackByte Ransomware creates a schedule task to execute remotely deployed ransomware payloads.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
BlackByte Ransomware looks for security software products prior to full execution.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
BlackByte Ransomware identifies the language on the victim system.(Citation: Trustwave BlackByte 2021) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
BlackByte Ransomware checks for files related to known sandboxes.(Citation: Trustwave BlackByte 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G1043 | BlackByte |
(Citation: Microsoft BlackByte 2023) (Citation: Trustwave BlackByte 2021) |
References
- James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
- Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
- Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
- US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.