{"description": "Enterprise techniques used by BlackByte Ransomware, ATT&CK software S1180 (v1.0)", "name": "BlackByte Ransomware (S1180)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) is distributed as a JavaScript launcher file.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) is ransomware using a shared key across victims for encryption.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) is distributed as an obfuscated JavaScript launcher file.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) creates a mutex value with a hard-coded name, and terminates if that mutex already exists on the victim system. [BlackByte Ransomware](https://attack.mitre.org/software/S1180) checks the system language to see if it matches one of a list of hard-coded values; if a match is found, the malware will terminate.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) uses the `mountvol.exe` command to mount volume names and leverages the Microsoft Discretionary Access Control List tool, `icacls.exe`, to grant the group to \u201cEveryone\u201d full access to the root of the drive.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) adds .JS and .EXE extensions to the Microsoft Defender exclusion list. [BlackByte Ransomware](https://attack.mitre.org/software/S1180) terminates and removes the Raccine anti-ransomware utility.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.010", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) enables SMBv1 during execution.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) spreads itself laterally by writing the JavaScript launcher file to mapped shared folders.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) modifies the victim Registry to prevent system recovery.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) can identify network shares connected to the victim machine.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) is distributed as an encrypted payload.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) enumerates the Registry, specifically the `HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options` key.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) uses mapped shared folders to transfer ransomware payloads via SMB.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) creates a schedule task to execute remotely deployed ransomware payloads.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) looks for security software products prior to full execution.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) gathers victim system information to generate a unique victim identifier.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) identifies the language on the victim system.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[BlackByte Ransomware](https://attack.mitre.org/software/S1180) checks for files related to known sandboxes.(Citation: Trustwave BlackByte 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BlackByte Ransomware", "color": "#66b1ff"}]}