About this actor
[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) use more robust encryption mechanisms. [BlackByte](https://attack.mitre.org/groups/G1043) is notable for operations targeting critical infrastructure entities among other targets across North America.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2019 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2019-16098 | 8.0 | 7.8 | 0.7776 | 2019-09-11 | see CVE |
CVE-2026-4368 | 5.5 | 7.7 | 0.0362 | 2026-03-23 | see CVE |
CVE-2049-16098 | 0.0 | 0.0 | 0.0000 | see CVE |
T1003T1012T1016T1018T1021T1021.001T1021.002T1036T1036.008T1041T1046T1047T1053T1053.005T1055T1055.012T1059T1059.001T1059.003T1068T1070T1070.004T1071T1071.001T1078T1078.002T1082T1087T1087.002T1105T1112T1134T1134.003T1135T1136T1136.002T1140T1190T1219T1480T1482T1486T1490T1491T1491.001T1505T1505.003T1518T1518.001T1543T1543.003T1547T1547.001T1560T1567T1569T1569.002T1570T1583T1583.003T1608T1608.001T1614T1614.001T1685T1686
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 44 / 66 | 67% |
CM-6 | 39 / 66 | 59% |
AC-6 | 37 / 66 | 56% |
AC-3 | 36 / 66 | 55% |
AC-2 | 33 / 66 | 50% |
CM-2 | 33 / 66 | 50% |
CM-7 | 32 / 66 | 48% |
SI-3 | 30 / 66 | 45% |
AC-5 | 26 / 66 | 39% |
CM-5 | 24 / 66 | 36% |
IA-2 | 24 / 66 | 36% |
SI-7 | 23 / 66 | 35% |
CA-7 | 21 / 66 | 32% |
SC-7 | 20 / 66 | 30% |
AC-4 | 16 / 66 | 24% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- Medusa Group 0.37
- Wizard Spider 0.36
- Operation Wocao 0.33
- Threat Group-3390 0.32
- APT32 0.31
Active in same years
- Tonto Team 2.00
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00