S1181: BlackByte 2.0 Ransomware
BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, BlackByte 2.0 Ransomware does not have a common key for victim decryption. BlackByte 2.0 Ransomware remains uniquely associated with BlackByte operations.[1]
Analyst context for executives and security teams
BlackByte 2.0 Ransomware matters because it represents a Windows ransomware payload tied in ATT&CK to BlackByte operations and to behaviors that directly affect recovery: encryption for impact, service stopping, recovery inhibition, firewall modification, registry changes, file cleanup, and discovery of network shares. The key business point is not just malware identification; it is whether the organization can detect and contain the pre-impact behaviors before shared data, critical services, and recovery options are disrupted.
Executive priority
Treat this as a resilience and incident-readiness validation item. Leaders should ask whether Windows endpoint telemetry, service-control monitoring, registry auditing, firewall-change visibility, network-share discovery monitoring, vulnerability remediation, and tested recovery procedures are sufficient to support a ransomware response. Because ATT&CK notes BlackByte 2.0 does not use the prior common victim decryption key, leadership should not assume decryptor availability and should prioritize recoverability, containment authority, and evidence preservation.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the ATT&CK relationships rather than relying on a malware name alone. On Windows, review visibility for process injection, privilege-escalation exploitation indicators, suspicious service execution, service stops, registry modification, Windows host firewall changes, network share enumeration, file deletion, timestamp manipulation, recovery inhibition, and encryption-impact activity. Investigations should correlate these behaviors in sequence, especially where discovery or defense-impairment events precede service disruption or file encryption.
Likely telemetry
- Windows endpoint process creation and parent/child process telemetry
- EDR events for process injection or anomalous cross-process activity
- Windows service creation, service execution, and service stop events
- Registry modification events, especially administrative or persistence-relevant paths
- Windows host firewall configuration and rule-change logs
Detection direction
- Build behavior-based detections mapped to the related techniques, since the ATT&CK object provides no official detection text.
- Correlate privilege escalation, service execution, firewall modification, and recovery inhibition with later encryption or mass file activity to reduce single-event false positives.
- Tune registry, service, and firewall-change alerts against known administrative tooling and maintenance windows; require justification and change records for high-risk changes.
- Validate that file deletion and timestomping visibility is retained long enough for post-incident reconstruction, because these behaviors can reduce forensic evidence.
- Monitor network share discovery in context of account, host role, and volume; legitimate administration can resemble discovery unless correlated with other ransomware-stage behaviors.
Mitigation priorities
- Prioritize tested, protected recovery capabilities and ensure recovery controls cannot be easily disabled from standard administrative paths.
- Reduce privilege-escalation opportunity through vulnerability management and timely remediation for Windows systems.
- Harden and monitor administrative capabilities used for service control, registry modification, firewall changes, and remote execution.
- Limit unnecessary access to network shares and review permissions that could increase encryption blast radius.
- Ensure endpoint protection, logging, and response tooling remain operational when services are stopped or firewall rules change.
Analyst notes and limits
The supplied ATT&CK object identifies BlackByte 2.0 Ransomware as a replacement for BlackByte Ransomware and states it is uniquely associated with BlackByte operations. The relationship set provides the most useful defensive direction: Windows-focused validation across privilege escalation, defense impairment, discovery, execution, stealth, and impact behaviors. Glexia’s take is therefore framed around readiness and coverage validation rather than malware-family indicators.
ATT&CK provides no official detection guidance, no aliases, no labels, and no explicit tactic list for this object. The object platform is Windows, while some related techniques have broader platform metadata; local scoping should be based on the organization’s Windows estate and observed telemetry. This summary does not establish active exploitation, customer exposure, or attribution for any specific incident.
BlackByte 2.0 Ransomware
BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, BlackByte 2.0 Ransomware does not have a common key for victim decryption. BlackByte 2.0 Ransomware remains uniquely associated with BlackByte operations.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.006 | Timestomp Sub-technique | BlackByte 2.0 Ransomware can timestomp files for defense evasion and anti-forensics purposes.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1112 | Modify Registry | BlackByte 2.0 Ransomware modifies the victim Registry to allow for elevated execution.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1486 | Data Encrypted for Impact | BlackByte 2.0 Ransomware is a ransomware variant associated with BlackByte operations.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1490 | Inhibit System Recovery | BlackByte 2.0 Ransomware modifies volume shadow copies during execution in a way that destroys them on the victim machine.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | BlackByte 2.0 Ransomware exploits a vulnerability in the RTCore64.sys driver (CVE-2019-16098) to enable privilege escalation and defense evasion when run as a service.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1135 | Network Share Discovery | BlackByte 2.0 Ransomware can identify network shares connected to the victim machine.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1489 | Service Stop | BlackByte 2.0 Ransomware can terminate running services.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BlackByte 2.0 Ransomware deletes itself following device encryption.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1569.002 | Service Execution Sub-technique | BlackByte 2.0 Ransomware executes as a service when deployed.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1055 | Process Injection | BlackByte 2.0 Ransomware injects into a newly-created `svchost.exe` process prior to device encryption.CitationMicrosoft BlackByte 2023 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | BlackByte 2.0 Ransomware modifies the Windows firewall during execution.CitationMicrosoft BlackByte 2023 |
Groups, software, and campaigns
G1043: BlackByte
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c18339e6d38a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft BlackByte 2023
Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
Open source URL -
[2]
mitre-attack S1181Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.