G1043: BlackByte
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]
Analyst context for executives and security teams
BlackByte is an ATT&CK-documented ransomware group, also known as Hecamede, operating since at least 2021 and associated with BlackByte ransomware variants and the Exbyte exfiltration tool. For leaders, the practical issue is not just malware encryption; the related behaviors show a ransomware intrusion pattern involving credential theft, discovery, lateral movement, remote execution, exfiltration, and eventual encryption. MITRE notes targeting of critical infrastructure entities among other North American targets, making this relevant to business continuity and operational resilience planning.
Executive priority
Treat this as a ransomware readiness use case: can the organization detect and contain credential compromise, lateral movement over RDP/SMB/WMI/PsExec, data exfiltration, and ransomware execution before recovery becomes the primary option? Priority decisions should focus on identity hardening, endpoint visibility, remote administration controls, vulnerability management for privilege escalation, segmentation, and tested incident response and recovery evidence. Because ATT&CK provides no official detection text for this group, executives should ask for proof of coverage against the related techniques and tools rather than a simple claim of “BlackByte detection.”
Technical view
The relationship set is heavily centered on Windows tradecraft: Mimikatz, PsExec, AdFind, BlackByte ransomware variants, Exbyte, PowerShell, Windows Command Shell, WMI, Scheduled Task, RDP, SMB/Admin Shares, Registry Query, credential dumping, process injection/process hollowing, discovery, exfiltration over C2, and exploitation for privilege escalation. SOC and IR teams should validate chained detections that connect credential access, Active Directory discovery, remote execution, lateral movement, outbound exfiltration behavior, and mass file modification/encryption activity. Because PsExec, AdFind, PowerShell, WMI, RDP, SMB, and scheduled tasks can be legitimate administration activity, detections should be tuned around abnormal users, hosts, timing, command lines, remote targets, privilege context, and sequence of events.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd.exe, WMI, schtasks, PsExec-like execution, AdFind, registry queries, and discovery commands
- Windows authentication, logon, RDP, SMB/admin share, and remote service activity logs
- EDR signals for credential dumping, LSASS access, process injection, and process hollowing behavior
- Active Directory query and enumeration activity associated with tools such as AdFind
- Network flow, proxy, DNS, and egress logs for command-and-control and possible exfiltration to online file sharing or hosting services
Detection direction
- Build behavior-chain analytics rather than relying only on malware names: credential dumping followed by discovery, remote execution, lateral movement, exfiltration, and encryption is higher fidelity than any single event.
- Baseline legitimate administrative use of PsExec, WMI, PowerShell, RDP, SMB, scheduled tasks, and AdFind; alert on rare hosts, unusual operators, abnormal hours, or execution from non-admin workstations.
- Correlate outbound data movement with prior discovery or file staging, especially where Exbyte-like behavior or transfers to file sharing/hosting services are plausible.
- Validate visibility on remote execution and lateral movement paths; blind spots commonly occur where endpoint telemetry is missing on servers, RDP gateways, domain controllers, or file servers.
- Use ATT&CK relationships to test coverage for T1003, T1021.001, T1021.002, T1047, T1053.005, T1059.001, T1059.003, T1041, T1068, T1055, and discovery techniques rather than claiming generic ransomware coverage.
Mitigation priorities
- Prioritize identity controls: reduce standing privilege, protect credential material, monitor privileged logons, and restrict where administrative accounts can authenticate.
- Restrict and monitor remote administration paths including RDP, SMB/admin shares, WMI, PsExec-style execution, PowerShell, and scheduled tasks.
- Maintain vulnerability management focus on privilege escalation paths and newly disclosed vulnerabilities referenced in the source material, using exposure and asset criticality to prioritize remediation.
- Segment critical servers, file shares, and operationally important systems to limit lateral movement and ransomware blast radius.
- Prepare ransomware response evidence: tested backups, restore procedures, isolation playbooks, exfiltration triage, and executive decision paths for business continuity.
Analyst notes and limits
This take is based on the ATT&CK group object for BlackByte G1043 and the supplied relationship context. The strongest defensive value comes from mapping the group to related tools and techniques: Mimikatz, PsExec, AdFind, Exbyte, BlackByte ransomware variants, credential dumping, discovery, lateral movement, remote execution, exfiltration, and ransomware behavior. The group object itself does not specify platforms or tactics, but many related software and techniques are Windows-focused.
MITRE provides no official detection guidance for this group object, and the supplied group fields do not specify platforms or tactics. Local conclusions require environment-specific telemetry, asset exposure, identity architecture, remote administration practices, and incident history. This summary does not assert current exploitation, customer exposure, or guaranteed detection coverage.
BlackByte
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | BlackByte used various system commands and tools to pull system information during operations.CitationFBI BlackByte 2022CitationSymantec BlackByte 2022CitationMicrosoft BlackByte 2023 |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1046 | Network Service Discovery | BlackByte has used tools such as NetScan to enumerate network services in victim environments.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1482 | Domain Trust Discovery | BlackByte enumerated Active Directory information and trust relationships during operations.CitationFBI BlackByte 2022CitationMicrosoft BlackByte 2023 |
| Enterprise | T1686 | Disable or Modify System Firewall | BlackByte modified firewall rules on victim machines to enable remote system discovery.CitationPicus BlackByte 2022CitationSymantec BlackByte 2022 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | BlackByte masqueraded configuration files containing encryption keys as PNG files.CitationFBI BlackByte 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BlackByte created scheduled tasks for payload execution.CitationFBI BlackByte 2022CitationPicus BlackByte 2022 |
| Enterprise | T1134.003 | Make and Impersonate Token Sub-technique | BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BlackByte deleted ransomware executables post-encryption.CitationPicus BlackByte 2022CitationSymantec BlackByte 2022CitationMicrosoft BlackByte 2023CitationCisco BlackByte 2024 |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | BlackByte has used RDP to access other hosts within victim networks.CitationMicrosoft BlackByte 2023CitationCisco BlackByte 2024 |
| Enterprise | T1685 | Disable or Modify Tools | BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.CitationFBI BlackByte 2022CitationPicus BlackByte 2022CitationCisco BlackByte 2024 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | BlackByte identified system language settings to determine follow-on execution.CitationPicus BlackByte 2022 |
| Enterprise | T1560 | Archive Collected Data | BlackByte compressed data collected from victim environments prior to exfiltration.CitationPicus BlackByte 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BlackByte executed ransomware using the Windows command shell.CitationFBI BlackByte 2022 |
| Enterprise | T1136.002 | Domain Account Sub-technique | BlackByte created privileged domain accounts during intrusions.CitationCisco BlackByte 2024 |
| Enterprise | T1112 | Modify Registry | BlackByte performed Registry modifications to escalate privileges and disable security tools.CitationPicus BlackByte 2022CitationCisco BlackByte 2024 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | BlackByte used process hollowing for defense evasion purposes.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | BlackByte left ransom notes in all directories where encryption takes place.CitationFBI BlackByte 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1570 | Lateral Tool Transfer | BlackByte transfered tools such as Cobalt Strike and the AnyDesk remote access tool during operations using SMB shares.CitationPicus BlackByte 2022 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | BlackByte staged encryption keys on virtual private servers operated by the adversary.CitationFBI BlackByte 2022 |
| Enterprise | T1190 | Exploit Public-Facing Application | BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments.CitationFBI BlackByte 2022CitationPicus BlackByte 2022CitationSymantec BlackByte 2022CitationMicrosoft BlackByte 2023 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1490 | Inhibit System Recovery | BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption.CitationPicus BlackByte 2022CitationSymantec BlackByte 2022 |
| Enterprise | T1012 | Query Registry | BlackByte queried registry values to determine system language settings.CitationPicus BlackByte 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1003 | OS Credential Dumping | BlackByte used tools such as Cobalt Strike and Mimikatz to dump credentials from victim systems.CitationPicus BlackByte 2022CitationMicrosoft BlackByte 2023 |
| Enterprise | T1569.002 | Service Execution Sub-technique | BlackByte created malicious services for ransomware execution.CitationSymantec BlackByte 2022CitationCisco BlackByte 2024 |
| Enterprise | T1135 | Network Share Discovery | BlackByte enumerated network shares on victim devices.CitationCisco BlackByte 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation.CitationCisco BlackByte 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.CitationPicus BlackByte 2022CitationMicrosoft BlackByte 2023 |
| Enterprise | T1078 | Valid Accounts | BlackByte has gained access to victim environments through legitimate VPN credentials.CitationCisco BlackByte 2024 |
| Enterprise | T1567 | Exfiltration Over Web Service | BlackByte has used services such as `anonymfiles.com` and `file.io` to exfiltrate victim data.CitationPicus BlackByte 2022 |
| Enterprise | T1055 | Process Injection | BlackByte has injected Cobalt Strike into `wuauclt.exe` during intrusions.CitationPicus BlackByte 2022 BlackByte has injected ransomware into `svchost.exe` before encryption.CitationSymantec BlackByte 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.CitationPicus BlackByte 2022CitationMicrosoft BlackByte 2023CitationCisco BlackByte 2024 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | BlackByte captured credentials for or impersonated domain administration users.CitationMicrosoft BlackByte 2023CitationCisco BlackByte 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BlackByte has used Registry Run keys for persistence.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1480 | Execution Guardrails | BlackByte stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics.CitationPicus BlackByte 2022 BlackByte has used ransomware variants requiring a key passed on the command line for the malware to execute.CitationCisco BlackByte 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | BlackByte has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for encryption, but later versions use unique keys per victim.CitationFBI BlackByte 2022CitationPicus BlackByte 2022CitationSymantec BlackByte 2022CitationMicrosoft BlackByte 2023CitationCisco BlackByte 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | BlackByte enumerated installed security products during operations.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1219 | Remote Access Tools | BlackByte has used tools such as AnyDesk in victim environments.CitationPicus BlackByte 2022CitationMicrosoft BlackByte 2023 |
| Enterprise | T1047 | Windows Management Instrumentation | BlackByte used WMI to delete Volume Shadow Copies on victim machines.CitationFBI BlackByte 2022 |
| Enterprise | T1018 | Remote System Discovery |
Groups, software, and campaigns
S0552: AdFind
S1180: BlackByte Ransomware
BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor.[1][2] BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.[3][4]
S1179: Exbyte
S0099: Arp
S1181: BlackByte 2.0 Ransomware
BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, BlackByte 2.0 Ransomware does not have a common key for victim decryption. BlackByte 2.0 Ransomware remains uniquely associated with BlackByte operations.[1]
S0029: PsExec
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5c1d79782604… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FBI BlackByte 2022
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Open source URL -
[2]
Picus BlackByte 2022
Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
Open source URL -
[3]
Symantec BlackByte 2022
Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
Open source URL -
[4]
Microsoft BlackByte 2023
Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
Open source URL -
[5]
Cisco BlackByte 2024
James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
Open source URL -
[6]
Hecamede
(Citation: Symantec BlackByte 2022)
-
[7]
mitre-attack G1043Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.