TTPs used by BlackByte Ransomware Targeting Critical Infrastructure

Keep up to date with latest blog posts

On February 15th, 2022, the FBI and US Secret Service issued a joint advisory on BlackByte ransomware and its indicators of compromise (IOCs). According to the alert, BlackByte ransomware attacks on critical US infrastructures are on the rise. In this blog, we explained TTPs used by the BlackByte ransomware group in detail.

Test your security controls against BlackByte Ransomware NOW!

BlackByte Ransomware Group

The BlackByte group is a Ransomware-as-a-Service (RaaS) operator and started its ransomware operation in July 2021. Since then, they have targeted US-based organizations in critical infrastructure sectors such as government, finance, and food & agriculture. Also, they compromised the network of the famous American football team, San Francisco 49ers, and released some of the confidential data belonging to the team as proof of the attack. 

BlackByteFigure 1: Ransom note of BlackByte for SF49ers[1]

Joint cybersecurity advisory from FBI and US Secret Service warns organizations that beware of the IOCs of BlackByte ransomware attacks and take necessary precautions as the number of attacks is expected to increase.

What is BlackByte Ransomware?

BlackByte ransomware is the collective name of the ransomware variants from the BlackByte RaaS group. The ransomware was first reported back in July 2021. It exploits ProxyShell vulnerabilities found in Microsoft Exchange Server for initial access. The patch for these vulnerabilities is available. However, unpatched systems are falling victim to these ransomware attacks. Check out our blog post and learn how to prevent the exploitation of ProxyShell vulnerabilities.

The ransomware does not attack the infected systems if the language setting is Russian or the languages of former Soviet republics. This behavior is similar to some other ransomware threat groups, as explained in our previous ransomware blog, LockBit 2.0

BlackByte ransomware variants only use symmetric encryption. In their earlier ransomware variants, The BlackByte threat group distributed the encryption key to every victim from their command and control (C2) server in a .png file. Since the same encryption key is used for every victim, Trustwave was able to devise a global decryptor [2]. After the release of the global decryptor, the ransomware group stopped delivering the encryption key from the C2 server and changed the key. Although the decryptor might not work in some cases, it is worth a try as it does not harm already encrypted files. 

After encrypting the victim files, BlackByte ransomware appends the .blackbyte extension. The ransomware leaves the same ransom note in all encrypted directories, and the ransom note includes a .onion link that instructs the victim how to pay the ransom and receive the decryption key. Also, the ransom note claims that the ransomware has exfiltrated data from its victims to scare its victims to pay the ransom.

How Picus Helps Simulate BlackByte Ransomware?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the BlackByte ransomware. We advise you to simulate BlackByte ransomware attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate BlackByte ransomware.

Threat Name

BlackByte Ransomware .EXE File Download (1-variant)

BlackByte Ransomware Scenario

Test your security controls against BlackByte Ransomware in minutes!

MITRE ATT&CK Techniques Used by the BlackByte Ransomware


  • T1595.002 Active Scanning: Vulnerability Scanning

The Blackbyte ransomware group exploits several vulnerabilities in the Microsoft Exchange Server. The ransomware threat actors scan the network of their targets and check whether the network has CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 vulnerabilities.

Initial Access

  • T1190 Exploit Public Facing Application

BlackByte ransomware threat actors exploit ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) found in Microsoft Exchange Server to gain initial access to the target network. Using ProxyShell vulnerabilities, the BlackByte RaaS group drops a webshell with the .aspx extension.

CVE Number

CVSS Score



9.8 (Critical)

Microsoft Exchange Server Remote Code Execution Vulnerability


9.8 (Critical)

Microsoft Exchange Server Elevation of Privilege Vulnerability


7.2 (High)

Microsoft Exchange Server Security Feature Bypass Vulnerability

Directories where webshell might be located

Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946


Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium


  • T1053.005 Scheduled Task/Job: Scheduled Task

BlackByte ransomware utilizes Scheduled Tasks to launch its executable and print ransom notes using the printers in the victim’s network. 

Scheduled Tasks used by BlackByte


complex.exe -single <SHA256_hash>

The ransomware executable is named “complex.exe”. The purpose of the hash value is unknown; it might be the identifier of the victim.

cmd.exe /c for /l %x in (1,1,75) do start

wordpad.exe /p C:\Users\tree.dll.

This command attempts to open tree.dll in Wordpad 75 times and then prints the contents. tree.dll contains the ransom note.

  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1059.003 Command and Scripting Interpreter: Windows Command Shell

The BlackByte threat group uses PowerShell and Windows Command Shell to execute its malicious commands.


  • T1505.003 Server Software Component: Web Shell

BlackByte ransomware abuses MSExchangeMailboxReplication.exe to place a webshell to establish a solid foothold in the victim’s network. 

Privilege Escalation

  • T1112 Modify Registry

BlackByte ransomware modifies registries to elevate privileges.

Commands used to modify the registry


reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Escalate local privilege

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

Enable OS to share network connections between different privilege levels

reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f

Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths

Defense Evasion

  • T1027.002 Obfuscated Files or Information: Software Packing

The BlackByte threat group uses obfuscation to make malware analysis difficult.

  • T1055 Process Injection

BlackByte ransomware injects a Cobalt Strike beacon into wuauclt.exe.

  • T1070.004 Indicator Removal on Host: File Deletion

BlackByte ransomware group deletes its executable after encryption to limit chances of analysis.

  • T1562.001 Impair Defenses or Modify Tools

BlackByte ransomware stops Windows Defender by using an obfuscated PowerShell command. It also deletes a scheduled task for Raccine, a tool used to prevent ransomware attacks.

Commands used for defense evasion


powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('VwBpA'+'G4ARA B'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x"

Stop Windows Defender from executing on Startup

schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F

Delete scheduled task for Raccine Rules Updater.


  • T1562.004 Impair Defenses: Disable or Modify System Firewall

BlackByte threat actors change firewall rules to discover other assets in the victim’s network.

Commands used for defense evasion


netsh advfirewall firewall set rule "group=\"Network Discovery\"" new enable=Yes

Enable network discovery

netsh advfirewall firewall set rule "group=\"File and Printer Sharing\"" new enable=Yes

Enable file and printer sharing

Credential Access

  • T1003 OS Credential Dumping

BlackByte group uses Cobalt Strike to dump credentials and access service accounts in the victim network.


  • T1012 Query Registry

BlackByte ransomware checks the language settings by querying the related registries.

  • T1016 System Network Configuration Discovery
  • T1018 Remote System Discovery

BlackByte uses the following commands to discover other assets in the victim’s network.

Commands used for discovery


net.exe view

Display a list of domains, computers, or resources that are being shared

arp.exe -a

Display the current ARP cache tables for all interface

Lateral Movement

  • T1021.002 Remote Services: SMB/Windows Admin Shares

BlackByte ransomware creates SMB shares to distribute AnyDesk, a remote desktop application, to other assets in the victim’s network using Cobalt Strike.


  • T1560.001 Archive Collected Data: Archive via Utility

BlackByte compresses the victim's file before exfiltration.

Command and Control (C2)

  • T1105 Ingress Tool Transfer

The BlackByte group transfers a Cobalt Strike beacon to the victim using the webshell they placed. After the beacon is placed, they transfer the AnyDesk application.


  • T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

BlackByte ransomware sends victim’s compressed files to anonymous file-sharing services such as and


  • T1486 Data Encrypted for Impact

BlackByte uses symmetric key encryption to encrypt the victim’s files. Check out our blog post to learn more detail on this MITRE ATT&CK technique.

  • T1490 Inhibit System Recovery

BlackByte ransomware resizes and deletes volume shadow copies to prevent file recovery using built-in recovery services.

Commands used for Inhibit System Recovery


vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB 

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

Resize volume shadow copy sizes

powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x

Delete volume shadow copies

Decoded command:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

Indicators of Compromise (IOCs)

Command and Control Server IPs:

MD5 Hashes





















































[1] D. Goodin, “Hacking group is on a tear, hitting US critical infrastructure and SF 49ers,” Ars Technica, Feb. 14, 2022. [Online]. Available:

[2] SpiderLabs, “GitHub - SpiderLabs/BlackByteDecryptor,” GitHub. [Online]. Available:


Keep up to date with latest blog posts