{"description": "Enterprise techniques used by BlackByte 2.0 Ransomware, ATT&CK software S1181 (v1.0)", "name": "BlackByte 2.0 Ransomware (S1181)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1486", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) is a ransomware variant associated with [BlackByte](https://attack.mitre.org/groups/G1043) operations.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) exploits a vulnerability in the RTCore64.sys driver (CVE-2019-16098) to enable privilege escalation and defense evasion when run as a service.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) modifies the Windows firewall during execution.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) deletes itself following device encryption.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) can timestomp files for defense evasion and anti-forensics purposes.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) modifies volume shadow copies during execution in a way that destroys them on the victim machine.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) modifies the victim Registry to allow for elevated execution.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) can identify network shares connected to the victim machine.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) injects into a newly-created `svchost.exe` process prior to device encryption.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) can terminate running services.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) executes as a service when deployed.(Citation: Microsoft BlackByte 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BlackByte 2.0 Ransomware", "color": "#66b1ff"}]}