S1180: BlackByte Ransomware
BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor.[1][2] BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.[3][4]
Analyst context for executives and security teams
BlackByte Ransomware is a Windows ransomware malware entry associated with BlackByte operations. Its ATT&CK relationships show a pattern that matters to defenders beyond file encryption: discovery of systems, shares, security tools, and language settings; movement over SMB/admin shares; scheduled task execution; registry interaction; tool transfer; defense impairment; recovery inhibition; and data encryption for impact. For leaders, the decision value is whether ransomware readiness is measured only at the endpoint, or across identity, SMB exposure, backup resilience, logging durability, and incident response execution.
Executive priority
Prioritize this as a ransomware resilience validation case, not just a malware signature issue. The ATT&CK relationships point to business-continuity risks around Windows lateral movement, shared drives, impaired security tooling, and disrupted recovery options. Executives should ask whether the organization can prove: privileged SMB/admin share use is governed and monitored, backup and recovery paths are resistant to tampering, endpoint and Windows event telemetry remain available during defense impairment attempts, and incident responders can quickly scope discovery, lateral transfer, and encryption activity. MITRE notes the original BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023, so this object should also inform historical exposure review and control validation rather than be treated as the complete current threat picture.
Technical view
SOC, detection engineering, and IR teams should validate coverage against the related ATT&CK behaviors: registry query and modification, scheduled task creation or execution, JavaScript/JScript execution, native API-heavy behavior where observable, system/security software/network share discovery, SMB and Windows admin share access, lateral file transfer, permission changes, tool or sensor tampering, recovery inhibition, downgrade-like defense impairment, execution guardrails, sandbox/system checks, and file encryption activity. Because MITRE provides no official detection text for this object, local detections should be built from the related techniques and tested against Windows telemetry available in the environment. Treat single events carefully: many discovery, registry, scheduled task, SMB, and permission-change actions can be legitimate administration. Higher-confidence triage usually comes from chaining discovery, lateral movement, defense impairment, recovery inhibition, and bulk file modification/encryption behavior on the same host or account over a compressed period.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows Registry query and modification events
- Scheduled Task creation, update, and execution records
- SMB session, admin share, and network share access logs
- File creation, modification, rename, permission, and high-volume encryption-like activity telemetry
Detection direction
- Validate detections across behavior chains, especially discovery followed by SMB/admin share access, lateral file transfer, defense impairment, recovery inhibition, and mass file modification.
- Tune for administrative false positives by baselining legitimate scheduled task management, registry administration, share enumeration, backup operations, and security tool maintenance.
- Confirm visibility for Windows admin shares and privileged account use; ransomware investigations often depend on knowing which account touched which host and share.
- Correlate endpoint and identity telemetry so registry, task, file, and service events can be tied to the initiating user, host, and remote source.
- Review blind spots created by disabled agents, missing command-line capture, incomplete SMB logging, unmanaged Windows servers, or backup systems outside SOC monitoring.
Mitigation priorities
- Start with resilience controls: protected, tested backups; monitored recovery settings; and clear restore decision procedures for ransomware events.
- Reduce lateral movement paths by reviewing SMB/admin share exposure, privileged account use, and unnecessary file share access across Windows systems.
- Harden and monitor Windows task scheduling, registry modification, scripting, and permission changes, focusing on administrative paths that can enable execution or defense impairment.
- Protect and monitor security tooling so service stops, configuration changes, sensor tampering, and logging gaps generate operational alerts.
- Segment critical Windows systems and high-value shares so discovery and lateral tool transfer do not easily become broad encryption impact.
Analyst notes and limits
This take is based on ATT&CK S1180, its external references, and supplied relationships. The most actionable context comes from the related techniques rather than an official detection section, which is not provided. MITRE states this ransomware used a common key that enabled a universal decryptor and that it was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023; those facts should guide historical scoping and intelligence context, not assumptions about local compromise.
The supplied ATT&CK object lists Windows as the platform but does not provide official detection guidance, aliases, labels, or malware tactics. Some related techniques have broader platform descriptions, but this summary treats S1180 as Windows-scoped per the object platform field. Local telemetry, control implementation, and incident evidence are required to determine actual exposure or coverage.
BlackByte Ransomware
BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor.[1][2] BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.[3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1135 | Network Share Discovery | BlackByte Ransomware can identify network shares connected to the victim machine.CitationTrustwave BlackByte 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | BlackByte Ransomware is ransomware using a shared key across victims for encryption.CitationTrustwave BlackByte 2021 |
| Enterprise | T1012 | Query Registry | BlackByte Ransomware enumerates the Registry, specifically the `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` key.CitationTrustwave BlackByte 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | BlackByte Ransomware is distributed as a JavaScript launcher file.CitationTrustwave BlackByte 2021 |
| Enterprise | T1570 | Lateral Tool Transfer | BlackByte Ransomware spreads itself laterally by writing the JavaScript launcher file to mapped shared folders.CitationTrustwave BlackByte 2021 |
| Enterprise | T1082 | System Information Discovery | BlackByte Ransomware gathers victim system information to generate a unique victim identifier.CitationTrustwave BlackByte 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BlackByte Ransomware creates a schedule task to execute remotely deployed ransomware payloads.CitationTrustwave BlackByte 2021 |
| Enterprise | T1490 | Inhibit System Recovery | BlackByte Ransomware deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment.CitationTrustwave BlackByte 2021 |
| Enterprise | T1689 | Downgrade Attack | BlackByte Ransomware enables SMBv1 during execution.CitationTrustwave BlackByte 2021 |
| Enterprise | T1046 | Network Service Discovery | BlackByte Ransomware identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads.CitationTrustwave BlackByte 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BlackByte Ransomware is distributed as an encrypted payload.CitationTrustwave BlackByte 2021 |
| Enterprise | T1685 | Disable or Modify Tools | BlackByte Ransomware adds .JS and .EXE extensions to the Microsoft Defender exclusion list. BlackByte Ransomware terminates and removes the Raccine anti-ransomware utility.CitationTrustwave BlackByte 2021 |
| Enterprise | T1106 | Native API | BlackByte Ransomware uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep.CitationTrustwave BlackByte 2021 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | BlackByte Ransomware uses the `mountvol.exe` command to mount volume names and leverages the Microsoft Discretionary Access Control List tool, `icacls.exe`, to grant the group to “Everyone” full access to the root of the drive.CitationTrustwave BlackByte 2021 |
| Enterprise | T1112 | Modify Registry | BlackByte Ransomware modifies the victim Registry to prevent system recovery.CitationTrustwave BlackByte 2021 |
| Enterprise | T1480 | Execution Guardrails | BlackByte Ransomware creates a mutex value with a hard-coded name, and terminates if that mutex already exists on the victim system. BlackByte Ransomware checks the system language to see if it matches one of a list of hard-coded values; if a match is found, the malware will terminate.CitationTrustwave BlackByte 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file.CitationTrustwave BlackByte 2021 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | BlackByte Ransomware uses mapped shared folders to transfer ransomware payloads via SMB.CitationTrustwave BlackByte 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | BlackByte Ransomware identifies the language on the victim system.CitationTrustwave BlackByte 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | BlackByte Ransomware looks for security software products prior to full execution.CitationTrustwave BlackByte 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | BlackByte Ransomware checks for files related to known sandboxes.CitationTrustwave BlackByte 2021 |
Groups, software, and campaigns
G1043: BlackByte
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 11b8ace2e09d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trustwave BlackByte 2021
Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
Open source URL -
[2]
FBI BlackByte 2022
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Open source URL -
[3]
Microsoft BlackByte 2023
Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
Open source URL -
[4]
Cisco BlackByte 2024
James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
Open source URL -
[5]
mitre-attack S1180Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.