3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BlackByte

BlackByte

ID: 3f0e519a5487a9347e8e043504a42bc066612
Cybercrime Cybercriminal
Threat types: Ransomware, Data Leak, Intrusion
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America. Ref: https://attack.mitre.org/groups/G1043/


Technique Technique name Tactics Evidence
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - BlackByte has used RDP to access other hosts within victim networks. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations. · ref
T1036.008 Masquerade File Type TA0005
  • Masquerading: Masquerade File Type - BlackByte masqueraded configuration files containing encryption keys as PNG files. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - BlackByte created scheduled tasks for payload execution. · ref
T1055.012 Process Hollowing TA0004 TA0005
  • Process Hollowing - BlackByte used process hollowing for defense evasion purposes. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - BlackByte used encoded PowerShell commands during operations. BlackByte has used remote PowerShell commands in victim networks. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - BlackByte executed ransomware using the Windows command shell. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - BlackByte deleted ransomware executables post-encryption. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure. · ref
T1078.002 Domain Accounts TA0001 TA0003 TA0004 TA0005
  • Domain Accounts - BlackByte captured credentials for or impersonated domain administration users. · ref
T1087.002 Domain Account TA0007
  • Account Discovery: Domain Account - BlackByte has used tools such as AdFind to identify and enumerate domain accounts. · ref
T1134.003 Make and Impersonate Token TA0004 TA0005
  • Access Token Manipulation: Make and Impersonate Token - BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution. · ref
T1136.002 Domain Account TA0003
  • Create Account: Domain Account - BlackByte created privileged domain accounts during intrusions. · ref
T1491.001 Internal Defacement TA0040
  • Defacement: Internal Defacement - BlackByte left ransom notes in all directories where encryption takes place. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange. · ref
T1518.001 Security Software Discovery TA0007
  • Software Discovery: Security Software Discovery - BlackByte enumerated installed security products during operations. · ref
T1543.003 Windows Service TA0003 TA0004
  • Create or Modify System Process: Windows Service - BlackByte modified multiple services on victim machines to enable encryption operations. BlackByte has installed tools such as AnyDesk as a service on victim machines. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - BlackByte has used Registry Run keys for persistence. · ref
T1562.001 Disable or Modify Tools TA0005
  • Disable or Modify Tools - BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations. · ref
T1562.004 Disable or Modify System Firewall TA0005
  • Disable or Modify System Firewall - BlackByte modified firewall rules on victim machines to enable remote system discovery. · ref
T1569.002 Service Execution TA0002
  • System Services: Service Execution - BlackByte created malicious services for ransomware execution. · ref
T1583.003 Virtual Private Server TA0042
  • Acquire Infrastructure: Virtual Private Server - BlackByte staged encryption keys on virtual private servers operated by the adversary. · ref
T1608.001 Upload Malware TA0042
  • Stage Capabilities: Upload Malware - BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites. · ref
T1614.001 System Language Discovery TA0007
  • System Location Discovery: System Language Discovery - BlackByte identified system language settings to determine follow-on execution. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.