Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1043: BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]

EnterpriseG1043GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BlackByte is an ATT&CK-documented ransomware group, also known as Hecamede, operating since at least 2021 and associated with BlackByte ransomware variants and the Exbyte exfiltration tool. For leaders, the practical issue is not just malware encryption; the related behaviors show a ransomware intrusion pattern involving credential theft, discovery, lateral movement, remote execution, exfiltration, and eventual encryption. MITRE notes targeting of critical infrastructure entities among other North American targets, making this relevant to business continuity and operational resilience planning.

Executive priority

Treat this as a ransomware readiness use case: can the organization detect and contain credential compromise, lateral movement over RDP/SMB/WMI/PsExec, data exfiltration, and ransomware execution before recovery becomes the primary option? Priority decisions should focus on identity hardening, endpoint visibility, remote administration controls, vulnerability management for privilege escalation, segmentation, and tested incident response and recovery evidence. Because ATT&CK provides no official detection text for this group, executives should ask for proof of coverage against the related techniques and tools rather than a simple claim of “BlackByte detection.”

Technical view

The relationship set is heavily centered on Windows tradecraft: Mimikatz, PsExec, AdFind, BlackByte ransomware variants, Exbyte, PowerShell, Windows Command Shell, WMI, Scheduled Task, RDP, SMB/Admin Shares, Registry Query, credential dumping, process injection/process hollowing, discovery, exfiltration over C2, and exploitation for privilege escalation. SOC and IR teams should validate chained detections that connect credential access, Active Directory discovery, remote execution, lateral movement, outbound exfiltration behavior, and mass file modification/encryption activity. Because PsExec, AdFind, PowerShell, WMI, RDP, SMB, and scheduled tasks can be legitimate administration activity, detections should be tuned around abnormal users, hosts, timing, command lines, remote targets, privilege context, and sequence of events.

Likely telemetry

  • Endpoint process creation and command-line telemetry for PowerShell, cmd.exe, WMI, schtasks, PsExec-like execution, AdFind, registry queries, and discovery commands
  • Windows authentication, logon, RDP, SMB/admin share, and remote service activity logs
  • EDR signals for credential dumping, LSASS access, process injection, and process hollowing behavior
  • Active Directory query and enumeration activity associated with tools such as AdFind
  • Network flow, proxy, DNS, and egress logs for command-and-control and possible exfiltration to online file sharing or hosting services

Detection direction

  • Build behavior-chain analytics rather than relying only on malware names: credential dumping followed by discovery, remote execution, lateral movement, exfiltration, and encryption is higher fidelity than any single event.
  • Baseline legitimate administrative use of PsExec, WMI, PowerShell, RDP, SMB, scheduled tasks, and AdFind; alert on rare hosts, unusual operators, abnormal hours, or execution from non-admin workstations.
  • Correlate outbound data movement with prior discovery or file staging, especially where Exbyte-like behavior or transfers to file sharing/hosting services are plausible.
  • Validate visibility on remote execution and lateral movement paths; blind spots commonly occur where endpoint telemetry is missing on servers, RDP gateways, domain controllers, or file servers.
  • Use ATT&CK relationships to test coverage for T1003, T1021.001, T1021.002, T1047, T1053.005, T1059.001, T1059.003, T1041, T1068, T1055, and discovery techniques rather than claiming generic ransomware coverage.

Mitigation priorities

  • Prioritize identity controls: reduce standing privilege, protect credential material, monitor privileged logons, and restrict where administrative accounts can authenticate.
  • Restrict and monitor remote administration paths including RDP, SMB/admin shares, WMI, PsExec-style execution, PowerShell, and scheduled tasks.
  • Maintain vulnerability management focus on privilege escalation paths and newly disclosed vulnerabilities referenced in the source material, using exposure and asset criticality to prioritize remediation.
  • Segment critical servers, file shares, and operationally important systems to limit lateral movement and ransomware blast radius.
  • Prepare ransomware response evidence: tested backups, restore procedures, isolation playbooks, exfiltration triage, and executive decision paths for business continuity.
Analyst notes and limits

This take is based on the ATT&CK group object for BlackByte G1043 and the supplied relationship context. The strongest defensive value comes from mapping the group to related tools and techniques: Mimikatz, PsExec, AdFind, Exbyte, BlackByte ransomware variants, credential dumping, discovery, lateral movement, remote execution, exfiltration, and ransomware behavior. The group object itself does not specify platforms or tactics, but many related software and techniques are Windows-focused.

MITRE provides no official detection guidance for this group object, and the supplied group fields do not specify platforms or tactics. Local conclusions require environment-specific telemetry, asset exposure, identity architecture, remote administration practices, and incident history. This summary does not assert current exploitation, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

48 rows
Domain ID Name Relationship / procedure
Enterprise T1082 System Information Discovery

BlackByte used various system commands and tools to pull system information during operations.[1][3][4]
Enterprise T1016 System Network Configuration Discovery

BlackByte used tools such as Arp to pull system network information and identify connected devices.[1][4]
Enterprise T1046 Network Service Discovery

BlackByte has used tools such as NetScan to enumerate network services in victim environments.[4]
Enterprise T1105 Ingress Tool Transfer

BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.[4]
Enterprise T1482 Domain Trust Discovery

BlackByte enumerated Active Directory information and trust relationships during operations.[1][4]
Enterprise T1686 Disable or Modify System Firewall

BlackByte modified firewall rules on victim machines to enable remote system discovery.[2][3]
Enterprise T1036.008 Masquerade File Type Sub-technique

BlackByte masqueraded configuration files containing encryption keys as PNG files.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

BlackByte created scheduled tasks for payload execution.[1][2]
Enterprise T1134.003 Make and Impersonate Token Sub-technique

BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.[4]
Enterprise T1070.004 File Deletion Sub-technique

BlackByte deleted ransomware executables post-encryption.[2][3][4][5]
Enterprise T1543.003 Windows Service Sub-technique

BlackByte modified multiple services on victim machines to enable encryption operations.[3] BlackByte has installed tools such as AnyDesk as a service on victim machines.[4]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

BlackByte has used RDP to access other hosts within victim networks.[4][5]
Enterprise T1685 Disable or Modify Tools

BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.[1][2][5]
Enterprise T1614.001 System Language Discovery Sub-technique

BlackByte identified system language settings to determine follow-on execution.[2]
Enterprise T1560 Archive Collected Data

BlackByte compressed data collected from victim environments prior to exfiltration.[2]
Enterprise T1059.003 Windows Command Shell Sub-technique

BlackByte executed ransomware using the Windows command shell.[1]
Enterprise T1136.002 Domain Account Sub-technique

BlackByte created privileged domain accounts during intrusions.[5]
Enterprise T1112 Modify Registry

BlackByte performed Registry modifications to escalate privileges and disable security tools.[2][5]
Enterprise T1055.012 Process Hollowing Sub-technique

BlackByte used process hollowing for defense evasion purposes.[4]
Enterprise T1491.001 Internal Defacement Sub-technique

BlackByte left ransom notes in all directories where encryption takes place.[1]
Enterprise T1071.001 Web Protocols Sub-technique

BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.[4]
Enterprise T1087.002 Domain Account Sub-technique

BlackByte has used tools such as AdFind to identify and enumerate domain accounts.[4]
Enterprise T1570 Lateral Tool Transfer

BlackByte transfered tools such as Cobalt Strike and the AnyDesk remote access tool during operations using SMB shares.[2]
Enterprise T1583.003 Virtual Private Server Sub-technique

BlackByte staged encryption keys on virtual private servers operated by the adversary.[1]
Enterprise T1190 Exploit Public-Facing Application

BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments.[1][2][3][4]
Enterprise T1608.001 Upload Malware Sub-technique

BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.[4]
Enterprise T1490 Inhibit System Recovery

BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption.[2][3]
Enterprise T1012 Query Registry

BlackByte queried registry values to determine system language settings.[2]
Enterprise T1059.001 PowerShell Sub-technique

BlackByte used encoded PowerShell commands during operations.[1] BlackByte has used remote PowerShell commands in victim networks.[4]
Enterprise T1041 Exfiltration Over C2 Channel

BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure.[4]
Enterprise T1003 OS Credential Dumping

BlackByte used tools such as Cobalt Strike and Mimikatz to dump credentials from victim systems.[2][4]
Enterprise T1569.002 Service Execution Sub-technique

BlackByte created malicious services for ransomware execution.[3][5]
Enterprise T1135 Network Share Discovery

BlackByte enumerated network shares on victim devices.[5]
Enterprise T1140 Deobfuscate/Decode Files or Information

BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell.[1] BlackByte uses PowerShell commands to disable Windows Defender.[2]
Enterprise T1068 Exploitation for Privilege Escalation

BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation.[5]
Enterprise T1505.003 Web Shell Sub-technique

BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.[2][4]
Enterprise T1078 Valid Accounts

BlackByte has gained access to victim environments through legitimate VPN credentials.[5]
Enterprise T1567 Exfiltration Over Web Service

BlackByte has used services such as `anonymfiles.com` and `file.io` to exfiltrate victim data.[2]
Enterprise T1055 Process Injection

BlackByte has injected Cobalt Strike into `wuauclt.exe` during intrusions.[2] BlackByte has injected ransomware into `svchost.exe` before encryption.[3]
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.[2][4][5]
Enterprise T1078.002 Domain Accounts Sub-technique

BlackByte captured credentials for or impersonated domain administration users.[4][5]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

BlackByte has used Registry Run keys for persistence.[4]
Enterprise T1480 Execution Guardrails

BlackByte stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics.[2] BlackByte has used ransomware variants requiring a key passed on the command line for the malware to execute.[5]
Enterprise T1486 Data Encrypted for Impact

BlackByte has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for encryption, but later versions use unique keys per victim.[1][2][3][4][5]
Enterprise T1518.001 Security Software Discovery Sub-technique

BlackByte enumerated installed security products during operations.[4]
Enterprise T1219 Remote Access Tools

BlackByte has used tools such as AnyDesk in victim environments.[2][4]
Enterprise T1047 Windows Management Instrumentation

BlackByte used WMI to delete Volume Shadow Copies on victim machines.[1]
Enterprise T1018 Remote System Discovery

BlackByte used tools such as Arp to identify remotely-connected devices.[1][2]
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1179: Exbyte

Exbyte is an exfiltration tool written in Go that is uniquely associated with BlackByte operations. Observed since 2022, Exbyte transfers collected files to online file sharing and hosting services.[1]

Windows
Tool Enterprise

S0099: Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [1]

LinuxWindowsmacOS
Tool Enterprise

S0029: PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[1][2]

Windows
Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1482: Domain Trust Discovery Enterprise uses · Technique T1686: Disable or Modify System Firewall Enterprise uses · Technique T1036.008: Masquerade File Type Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1134.003: Make and Impersonate Token Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1614.001: System Language Discovery Enterprise uses · Technique T1560: Archive Collected Data Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1136.002: Domain Account Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1055.012: Process Hollowing Enterprise uses · Tool S0552: AdFind Enterprise uses · Technique T1491.001: Internal Defacement Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1087.002: Domain Account Enterprise uses · Malware S1180: BlackByte Ransomware Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5c1d7978260475db...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5c1d79782604…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FBI BlackByte 2022

    US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.

    Open source URL
  2. [2]
    Picus BlackByte 2022

    Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.

    Open source URL
  3. [3]
    Symantec BlackByte 2022

    Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.

    Open source URL
  4. [4]
    Microsoft BlackByte 2023

    Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.

    Open source URL
  5. [5]
    Cisco BlackByte 2024

    James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.

    Open source URL
  6. [6]
    Hecamede

    (Citation: Symantec BlackByte 2022)

  7. [7]
    mitre-attack G1043
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use