{ "id": "323df2f8-7f2a-4494-81c2-61d354812a74", "created_at": "2026-04-06T00:09:39.751007Z", "updated_at": "2026-04-10T03:32:24.790825Z", "deleted_at": null, "sha1_hash": "35c36a91f0747222f7d09c6dd565eafd3c39ecd4", "title": "TTPs used by BlackByte Ransomware Targeting Critical Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 459751, "plain_text": "TTPs used by BlackByte Ransomware Targeting Critical Infrastructure\r\nBy Huseyin Can YUCEEL\r\nPublished: 2022-02-21 · Archived: 2026-04-05 14:02:49 UTC\r\nOn February 15th, 2022, the FBI and US Secret Service issued a joint advisory on BlackByte ransomware and its indicators\r\nof compromise (IOCs). According to the alert, BlackByte ransomware attacks on critical US infrastructures are on the rise.\r\nIn this blog, we explained TTPs used by the BlackByte ransomware group in detail.\r\nTest your security controls against BlackByte Ransomware NOW!\r\nBlackByte Ransomware Group\r\n BlackByte operates as a Ransomware-as-a-Service group and began its campaign in July 2021. Since then, it has targeted\r\nU.S. organizations in critical infrastructure sectors, including government, finance, and food and agriculture. The group also\r\nbreached the San Francisco 49ers and published portions of the team’s confidential data as proof of the attack.\r\nFigure 1: Ransom note of\r\nBlackByte for SF49ers[1]\r\nJoint cybersecurity advisory from FBI and US Secret Service warns organizations that beware of the IOCs of BlackByte\r\nransomware attacks and take necessary precautions as the number of attacks is expected to increase.\r\nWhat is BlackByte Ransomware?\r\nBlackByte ransomware is the collective name of the ransomware variants from the BlackByte RaaS group. The ransomware\r\nwas first reported back in July 2021. It exploits ProxyShell vulnerabilities found in Microsoft Exchange Server for initial\r\naccess. The patch for these vulnerabilities is available. However, unpatched systems are falling victim to these ransomware\r\nattacks. Check out our blog post and learn how to prevent the exploitation of ProxyShell vulnerabilities.\r\nThe ransomware does not attack the infected systems if the language setting is Russian or the languages of former Soviet\r\nrepublics. This behavior is similar to some other ransomware threat groups, as explained in our previous ransomware blog,\r\nLockBit 2.0. \r\nBlackByte ransomware variants only use symmetric encryption. In their earlier ransomware variants, The BlackByte threat\r\ngroup distributed the encryption key to every victim from their command and control (C2) server in a .png file. Since the\r\nsame encryption key is used for every victim, Trustwave was able to devise a global decryptor [2]. After the release of the\r\nglobal decryptor, the ransomware group stopped delivering the encryption key from the C2 server and changed the key.\r\nAlthough the decryptor might not work in some cases, it is worth a try as it does not harm already encrypted files. \r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 1 of 7\n\nAfter encrypting the victim files, BlackByte ransomware appends the .blackbyte extension. The ransomware leaves the same\r\nransom note in all encrypted directories, and the ransom note includes a .onion link that instructs the victim how to pay the\r\nransom and receive the decryption key. Also, the ransom note claims that the ransomware has exfiltrated data from its\r\nvictims to scare its victims to pay the ransom.\r\nHow Picus Helps Simulate BlackByte Ransomware?\r\nUsing the Picus Continuous Security Validation Platform, you can test your security controls against the BlackByte\r\nransomware. We advise you to simulate BlackByte ransomware attacks and determine whether your security controls can\r\nprevent them or not. Picus Threat Library includes the following threats to simulate BlackByte ransomware.\r\nThreat Name\r\nBlackByte Ransomware .EXE File Download (1-variant)\r\nBlackByte Ransomware Scenario\r\nTest your security controls against BlackByte Ransomware in minutes!\r\nMITRE ATT\u0026CK Techniques Used by the BlackByte Ransomware\r\nReconnaissance\r\nT1595.002 Active Scanning: Vulnerability Scanning\r\nThe Blackbyte ransomware group exploits several vulnerabilities in the Microsoft Exchange Server. The ransomware threat\r\nactors scan the network of their targets and check whether the network has CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 vulnerabilities.\r\nInitial Access\r\nT1190 Exploit Public Facing Application\r\nBlackByte ransomware threat actors exploit ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-\r\n31207) found in Microsoft Exchange Server to gain initial access to the target network. Using ProxyShell vulnerabilities, the\r\nBlackByte RaaS group drops a webshell with the .aspx extension.\r\nCVE Number CVSS Score Vulnerability\r\nCVE-2021-34473 9.8 (Critical) Microsoft Exchange Server Remote Code Execution Vulnerability\r\nCVE-2021-34523 9.8 (Critical) Microsoft Exchange Server Elevation of Privilege Vulnerability\r\nCVE-2021-31207 7.2 (High) Microsoft Exchange Server Security Feature Bypass Vulnerability\r\nDirectories where webshell might be located\r\nWindows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\root\\e22c2559\\92c7e946\r\ninetpub\\wwwroot\\aspnet_client\r\nProgram Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 2 of 7\n\nProgram Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\r\nProgram Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\r\nProgram Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\scripts\r\nProgram Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\scripts\\premium\r\nExecution\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nBlackByte ransomware utilizes Scheduled Tasks to launch its executable and print ransom notes using the printers in the\r\nvictim’s network. \r\nScheduled Tasks used by\r\nBlackByte\r\nDescription\r\ncomplex.exe -single\r\n\u003cSHA256_hash\u003e\r\nThe ransomware executable is named “complex.exe”. The purpose of the hash value is\r\nunknown; it might be the identifier of the victim.\r\ncmd.exe /c for /l %x in\r\n(1,1,75) do start\r\nwordpad.exe /p\r\nC:\\Users\\tree.dll.\r\nThis command attempts to open tree.dll in Wordpad 75 times and then prints the\r\ncontents. tree.dll contains the ransom note.\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nThe BlackByte threat group uses PowerShell and Windows Command Shell to execute its malicious commands.\r\nPersistence\r\nT1505.003 Server Software Component: Web Shell\r\nBlackByte ransomware abuses MSExchangeMailboxReplication.exe to place a webshell to establish a solid foothold in the\r\nvictim’s network. \r\nPrivilege Escalation\r\nT1112 Modify Registry\r\nBlackByte ransomware modifies registries to elevate privileges.\r\nCommands used to modify the registry Description\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v\r\nLocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\r\nEscalate local privilege\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v\r\nEnableLinkedConnections /t REG_DWORD /d 1 /f\r\nEnable OS to share network\r\nconnections between different\r\nprivilege levels\r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 3 of 7\n\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v\r\nLongPathsEnabled /t REG_DWORD /d 1 /f\r\nEnable long path values for\r\nfile paths, names, and\r\nnamespaces to ensure\r\nencryption of all file names\r\nand paths\r\nDefense Evasion\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nThe BlackByte threat group uses obfuscation to make malware analysis difficult.\r\nT1055 Process Injection\r\nBlackByte ransomware injects a Cobalt Strike beacon into wuauclt.exe.\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nBlackByte ransomware group deletes its executable after encryption to limit chances of analysis.\r\nT1562.001 Impair Defenses or Modify Tools\r\nBlackByte ransomware stops Windows Defender by using an obfuscated PowerShell command. It also deletes a scheduled\r\ntask for Raccine, a tool used to prevent ransomware attacks.\r\nCommands used for defense evasion Description\r\npowershell -command \"$x =\r\n[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('VwBpA'+'G4ARA\r\nB'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x\"\r\nStop\r\nWindows\r\nDefender\r\nfrom\r\nexecuting\r\non Startup\r\nschtasks.exe /DELETE /TN \"\\\"Raccine Rules Updater\\\"\" /F\r\nDelete\r\nscheduled\r\ntask for\r\nRaccine\r\nRules\r\nUpdater.\r\nT1562.004 Impair Defenses: Disable or Modify System Firewall\r\nBlackByte threat actors change firewall rules to discover other assets in the victim’s network.\r\nCommands used for defense evasion Description\r\nnetsh advfirewall firewall set rule \"group=\\\"Network Discovery\\\"\" new enable=Yes Enable network discovery\r\nnetsh advfirewall firewall set rule \"group=\\\"File and Printer Sharing\\\"\" new\r\nenable=Yes\r\nEnable file and printer\r\nsharing\r\nCredential Access\r\nT1003 OS Credential Dumping\r\nBlackByte group uses Cobalt Strike to dump credentials and access service accounts in the victim network.\r\nDiscovery\r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 4 of 7\n\nT1012 Query Registry\r\nBlackByte ransomware checks the language settings by querying the related registries.\r\nT1016 System Network Configuration Discovery\r\nT1018 Remote System Discovery\r\nBlackByte uses the following commands to discover other assets in the victim’s network.\r\nCommands used for discovery Description\r\nnet.exe view Display a list of domains, computers, or resources that are being shared\r\narp.exe -a Display the current ARP cache tables for all interface\r\nLateral Movement\r\nT1021.002 Remote Services: SMB/Windows Admin Shares\r\nBlackByte ransomware creates SMB shares to distribute AnyDesk, a remote desktop application, to other assets in the\r\nvictim’s network using Cobalt Strike.\r\nCollection\r\nT1560.001 Archive Collected Data: Archive via Utility\r\nBlackByte compresses the victim's file before exfiltration.\r\nCommand and Control (C2)\r\nT1105 Ingress Tool Transfer\r\nThe BlackByte group transfers a Cobalt Strike beacon to the victim using the webshell they placed. After the beacon is\r\nplaced, they transfer the AnyDesk application.\r\nExfiltration\r\nT1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nBlackByte ransomware sends victim’s compressed files to anonymous file-sharing services such as anonymfiles.com and\r\nfile.io.\r\nImpact\r\nT1486 Data Encrypted for Impact\r\nBlackByte uses symmetric key encryption to encrypt the victim’s files. Check out our blog post to learn more detail on this\r\nMITRE ATT\u0026CK technique.\r\nT1490 Inhibit System Recovery\r\nBlackByte ransomware resizes and deletes volume shadow copies to prevent file recovery using built-in recovery services.\r\nCommands used for Inhibit System Recovery Description\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB \r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\nResize volume\r\nshadow copy sizes\r\npowershell.exe $x =\r\n[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA\r\nHQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb\r\nDelete volume\r\nshadow copies\r\nDecoded command:\r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 5 of 7\n\nwB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A\r\nCAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x\r\nGet-WmiObject\r\nWin32_Shadowcopy\r\n| ForEach-Object\r\n{$_.Delete();}\r\nIndicators of Compromise (IOCs)\r\nCommand and Control Server IPs:\r\n185.93.6.31\r\n45.9.148.114\r\nMD5 Hashes\r\n4d2da36174633565f3dd5ed6dc5033c4 cd7034692d8f29f9146deb3641de7986 d63a7756bfdcd2be6c755bf288a92c8b\r\need7357ab8d2fe31ea3dbcf3f9b7ec74 695e343b81a7b0208cbae33e11f7044c 296c51eb03e70808304b5f0e050f4f94\r\n0c7b8da133799dd72d0dbe3ea012031e a77899602387665cddb6a0f021184a2b 1473c91e9c0588f92928bed0ebf5e0f4\r\n28b791746c97c0c04dcbfe0954e7173b 52b8ae74406e2f52fd81c8458647acd8 1785f4058c78ae3dd030808212ae3b04\r\nb8e24e6436f6bed17757d011780e87b9 8dfa48e56fc3a6a2272771e708cdb4d2 4ce0bdd2d4303bf77611b8b34c7d2883\r\nc010d1326689b95a3d8106f75003427c ae6fbc60ba9c0f3a0fef72aeffcd3dc7 405cb8b1e55bb2a50f2ef3e7c2b28496\r\n11e35160fc4efabd0a3bd7a7c6afc91b 659b77f88288b4874b5abe41ed36380d 151c6f04aeff0e00c54929f25328f6f7\r\n959a7df5c465fcd963a641d87c18a565 5f40e1859053b70df9c0753d327f2cee df7befc8cdc3c5434ef27cc669fb1e4b\r\n51f2cf541f004d3c1fa8b0f94c89914a d9e94f076d175ace80f211ea298fa46e 8320d9ec2eab7f5ff49186b2e630a15f\r\ncea6be26d81a8ff3db0d9da666cd0f8f 31f818372fa07d1fd158c91510b6a077 d9e94f076d175ace80f211ea298fa46e\r\na9cf6dce244ad9afd8ca92820b9c11b9 7139415fecd716bec6d38d2004176f5d c13bf39e2f8bf49c9754de7fb1396a33\r\nad29212716d0b074d976ad7e33b8f35f d4aa276a7fbe8dcd858174eeacbb26ce 58e8043876f2f302fbc98d00c270778b\r\nd2a15e76a4bfa7eb007a07fc8738edfb e46bfbdf1031ea5a383040d0aa598d45  \r\nMD5 SHA-1 SHA-256\r\n5c0a549ae45d9abe54ab662e53c484e2 f3574a47570cccebb1c502287e21218277ffc589 e837f252af30cc222a1bce815e609a7354e1f9c814baefbb\r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 6 of 7\n\n9344afc63753cd5e2ee0ff9aed43dc56 ee1fa399ace734c33b77c62b6fb010219580448f 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a22\r\ne2eb5b57a8765856be897b4f6dadca18 c90f32fd0fd4eefe752b7b3f7ebfbc7bd9092b16 91f8592c7e8a3091273f0ccbfe34b2586c5998f7de63130\r\nReference\r\n[1] D. Goodin, “Hacking group is on a tear, hitting US critical infrastructure and SF 49ers,” Ars Technica, Feb. 14, 2022.\r\n[Online]. Available: https://arstechnica.com/information-technology/2022/02/hacking-group-is-on-a-tear-hitting-us-critical-infrastructure-and-sf-49ers/\r\n[2] SpiderLabs, “GitHub - SpiderLabs/BlackByteDecryptor,” GitHub. [Online]. Available:\r\nhttps://github.com/SpiderLabs/BlackByteDecryptor\r\nSource: https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nhttps://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure" ], "report_names": [ "ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434179, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35c36a91f0747222f7d09c6dd565eafd3c39ecd4.pdf", "text": "https://archive.orkl.eu/35c36a91f0747222f7d09c6dd565eafd3c39ecd4.txt", "img": "https://archive.orkl.eu/35c36a91f0747222f7d09c6dd565eafd3c39ecd4.jpg" } }