BlackSuit Ransomware

BlackSuit ransomware, a relatively new threat, has rapidly gained notoriety for its aggressive targeting of critical infrastructure sectors. This ransomware, first identified in May 2023, is not entirely new; it is a rebrand of the Royal ransomware operation, known for its significant financial demands and double-extortion tactics. BlackSuit retains many of Royal's characteristics, including its code base and operational methods, but has shown increased activity since its rebranding. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly issued an updated advisory, as recently as July 2024, disseminating known BlackSuit ransomware Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) to help organizations defend against this evolving threat. The advisory and this article highlight the crucial link between BlackSuit and Royal, emphasizing the continuity of the threat under a new name. Staying informed about the latest cyber threats is very important https://thesecmaster.com/5-challenges-of-cyber-security-in-todays-business.

Origins & Evolution

BlackSuit's lineage traces directly back to Royal ransomware, which operated from approximately September 2022 through June 2023. Royal itself showed code similarities to earlier ransomware families, including Conti, suggesting a complex web of relationships and shared expertise within the ransomware ecosystem. While not a Ransomware-as-a-Service (RaaS) operation, Royal was known for its large ransom demands and its use of double extortion – exfiltrating sensitive data before encrypting it and threatening to publish the stolen data if the ransom was not paid. Analyzing the threat landscape requires tools such as Wireshark https://thesecmaster.com/discovering-wireshark-7-features-to-analyze-a-pcap-file-using-wireshark.

The rebrand to BlackSuit in May 2023 marked a noticeable shift. Activity levels increased, with at least 93 victims observed globally by March 2024. This suggests a deliberate strategy, potentially to evade law enforcement scrutiny, distance themselves from previous attacks, or simply refresh their public image. The shift to BlackSuit did not represent a complete overhaul; many of Royal's TTPs and IOCs remain relevant, but the increased activity under the new name makes it a pressing concern. Unit 42 of Palo Alto Networks tracks the group behind BlackSuit as Ignoble Scorpius.

Tactics & Techniques

BlackSuit's operational methodology closely mirrors that of its predecessor, Royal. The group employs a multi-stage attack, characterized by the following key stages:

* Phishing (Most Common): Malicious PDF documents and malvertising links embedded in emails are the primary initial access vector. This involves crafting convincing emails that trick recipients into opening attachments or clicking links.

* Remote Desktop Protocol (RDP) Compromise (Second Most Common - ~13.3%): Exploiting weak or stolen RDP credentials to gain direct access to systems.

* Exploiting Public-Facing Applications: Targeting vulnerabilities in internet-facing applications to gain a foothold in the network.

* Initial Access Brokers: Leveraging brokers who specialize in selling access to compromised networks, potentially by harvesting VPN credentials from stealer logs.

* Lateral Movement: BlackSuit uses RDP, PsExec, and SMB to move laterally within the compromised network. Legitimate administrator accounts have been observed being used to access domain controllers via SMB.

* Persistence: The group uses legitimate Remote Monitoring and Management (RMM) software to maintain access. They also utilize SystemBC and Gootloader malware. They have been observed deactivating antivirus software by modifying Group Policy Objects on the domain controller. Protecting against lateral movement is crucial and Zero Trust Security https://thesecmaster.com/what-is-zero-trust-security-and-what-are-the-benefits-of-zero-trust-architecture can help.

* Network Enumeration: BlackSuit uses tools like SharpShares and SoftPerfect NetWorx to discover network resources.

* Credential Harvesting: They employ Mimikatz and Nirsoft password harvesting tools to steal credentials.

* Process Termination: Tools like PowerTool and GMER are used to kill system processes that might interfere with their operations.

* Tooling: They repurpose legitimate penetration testing tools like Cobalt Strike, and malware derivatives like Ursnif/Gozi, for data aggregation and exfiltration. RClone and Brute Ratel are also used.

* Exfiltration Paths: The first hop in the exfiltration process is often a U.S.-based IP address.

* Partial Encryption: A key characteristic of BlackSuit (and Royal) is the use of partial encryption. They encrypt a specific percentage of data within a file, making the encryption process faster and potentially helping to evade detection by some security solutions.

* Windows Restart Manager: BlackSuit uses the Windows Restart Manager to determine if files are currently in use, avoiding encrypting files that could cause system instability.

* Shadow Copy Deletion: They delete shadow copies using vssadmin.exe to prevent data recovery.

* Batch Script Deployment: Batch files (often encrypted within 7zip archives) are used to automate tasks like creating administrator users, forcing group policy updates, setting registry keys for auto-extraction, executing the ransomware, monitoring the encryption process, and deleting event logs.

* File Locations: Malicious files are often found in common locations like C:\Temp\, C:\Users\<user>\AppData\Roaming\, C:\Users\<users>\, C:\ProgramData\, and the root C:\ directory.

MITRE ATT&CK Techniques (Selected Examples):

Targets or Victimology

BlackSuit's targeting strategy, inherited from Royal, is not limited to a single industry. However, they have shown a particular focus on critical infrastructure sectors, posing a significant threat to essential services. Understanding your system's vulnerabilities is important https://thesecmaster.com/vulnerability-assessments-strategy-identifying-and-prioritizing-system-risks.

* Data Breach: Exposure of sensitive data, including personally identifiable information (PII), intellectual property, and financial records.

* Operational Disruption: Significant disruption to business operations, potentially halting critical services.

* Financial Loss: Costs associated with ransom payments, incident response, system recovery, and potential legal liabilities.

* Reputational Damage: Loss of trust and damage to the organization's reputation.

* Healthcare and Public Health: A particularly concerning target, as attacks can directly impact patient care.

* Commercial Facilities

* Government Facilities

* Critical Manufacturing

* Education: Educational institutions have been frequently targeted.

* Construction: Another sector with a significant number of victims.

* Other: IT, retail, manufacturing, and others.

Attack Campaigns

Several notable attacks have been attributed to BlackSuit (and its predecessor, Royal):

These examples underscore the wide-ranging impact of BlackSuit attacks, affecting critical infrastructure, businesses, and individuals.

Defenses

Protecting against BlackSuit ransomware requires a multi-layered approach, focusing on prevention, detection, and response. Here are key defense strategies:

* Maintain multiple copies of backups.

* Store backups offline, physically separate from the network.

* Segment backups from the main network.

* Secure backups with strong access controls.

* Encrypt backups.

* Implement immutable backups (backups that cannot be altered or deleted).

* Enforce strong password requirements (length, complexity).

* Prohibit password reuse across multiple accounts.

* Implement password lockout policies after a certain number of failed attempts.

* Adhere to NIST password standards.

* Consider Passwordless authentication https://thesecmaster.com/passwordless-authentication-things-every-business-and-individual-should-know-about.

* Implement a timely patching schedule for all software and operating systems.

* Prioritize patching known exploited vulnerabilities.

* Utilize a vulnerability management system.

* It's also essential to have a proper Patch management strategy https://thesecmaster.com/patch-management-strategy-balancing-security-productivity-and-downtime.

* Require MFA for all user accounts, especially administrator accounts and remote access.

* Use strong authentication methods (e.g., hardware tokens, biometrics).

* Divide the network into smaller, isolated segments to limit the spread of ransomware.

* Implement strict access controls between segments.

* Implement continuous network monitoring to detect unusual activity and lateral movement.

* Use intrusion detection and prevention systems (IDPS).

* Monitor for known BlackSuit IOCs.

* Use SIEM for Security Logging https://thesecmaster.com/security-logging-and-monitoring-the-9-web-application-security-risk.

* Deploy and maintain up-to-date antivirus software on all endpoints.

* Enable real-time scanning and automatic updates.

* Enable comprehensive logging of system and network activity.

* Regularly review logs for suspicious events.

* Use a Security Information and Event Management (SIEM) system for centralized log analysis.

* Regularly review user accounts for new or unrecognized accounts.

* Implement the principle of least privilege (users should only have access to the resources they need).

* Disable or restrict access to unused network ports, especially those commonly exploited by ransomware (e.g., RDP port 3389).

* Disable macros by default in Microsoft Office applications.

* Implement email banners to flag external emails.

* Disable hyperlinks in emails from untrusted sources.

* Use email filtering and sandboxing technologies.

* Implement Sender Policy Framework (SPF) https://thesecmaster.com/what-is-sender-policy-framework-spf-why-do-we-need-spf-how-to-set-up-an-spf-record-how-to-check-an-spf-record.

* Limit access to sensitive resources to specific time windows.

* Restrict the use of command-line tools and scripting environments for regular users.

Conclusion

BlackSuit ransomware, a rebranded and reinvigorated version of Royal ransomware, poses a significant and ongoing threat, particularly to critical infrastructure sectors. Its use of double extortion, partial encryption, and a variety of initial access methods makes it a formidable adversary. The recent updates from CISA and the FBI underscore the importance of staying informed about BlackSuit's evolving TTPs and IOCs. Organizations must adopt a proactive, multi-layered defense strategy, encompassing robust backups, strong security hygiene, network monitoring, and employee training, to mitigate the risk of a successful BlackSuit attack. Staying vigilant and implementing the recommended security measures is crucial to protecting against this persistent and damaging threat. Understanding indicators of compromise https://thesecmaster.com/understanding-indicator-of-compromise-ioc is critical for proactive defense.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: