Mark Clancy
Vice President for Cybersecurity/CISO, Sprint, Inc.; Founder, Cyber Risk Management; former Managing Director for Technology Risk Management/CISO, Depository Trust and Clearing Corporation (DTCC).
Lt. Gen. Dennis Crall
CEO of Advance Foundry. DoD Joint Staff, former Chief Information Officer – Director Command, Control, Communications, and Cyber (C4). Former Senior Military Advisor to the Undersecretary of Defense for Policy and former Deputy Principal Cyber Advisory to the Secretary of Defense.
Christopher Day
VP Strategic Capabilities and Programs, Tenable. VP of Cognitive Cyber, ManTech, Member Defense Science Board, Chief Information Security Officer for Invincea, CTO for Packet Forensics, LLC and its subsidiaries; Senior Vice President, Secure Information Services for Terremark Worldwide, Inc.; and Vice President for SteelCloud. Co-founded The Asgard Group, and subsequently sold it to SteelCloud in 2004.
Terry Roberts
Founder, President and CEO WhiteHawk CEC Inc., TASC VP for Cyber Engineering and Analytics, an Executive Director Carnegie Mellon University – Software Engineering Institute (CMU SEI), Deputy Director of Naval Intelligence CNO OPNAV, Director Requirements and Resources – Office of the Undersecretary of Defense for Intelligence.
Andy Zolper
Andy Zolper is the Chief Operating Officer of IT and Head of Enterprise Technology Solutions for Raymond James Financial. He leads a global team of experts who deliver technology capabilities to Raymond James and its clients. Andy also chairs the firm’s Operational Risk Management Committee, and serves as the executive sponsor of the firm’s veterans inclusion network (“Valor”). Prior to his current role Andy was the Chief Information Security Officer (CISO) of Raymond James Financial for 9 years.
Over the past 30 years Andy has held numerous technology and cyber security roles with companies including UBS, JP Morgan Chase, and Verizon. He is a graduate of the Virginia Military Institute and is a proud US Marine Corps veteran. Now that their five children are grown, Andy and his wife Linda are Florida Guardians ad Litem, court-appointed volunteer advocates for children in the foster care system. Andy serves on the board of The Guardian ad Litem Foundation of Tampa Bay.
Cybersecurity Workshop for Florida Critical Infrastructure
Join us on 29 October at the Tampa Palms Country Club for a dynamic cybersecurity workshop tailored to Florida’s critical infrastructure sectors.
This event will provide actionable recommendations for enhancing compliance with Florida Statute 282.318 and feature an overview of Cyber Florida’s no-cost solutions and services to strengthen your organization’s cyber defenses.
Participants will also engage in an exciting tabletop exercise hosted by the National Cybersecurity Preparedness Consortium (NUARI), offering hands-on experience in responding to cyber incidents. A free lunch will be provided, along with opportunities to network with cybersecurity experts and industry peers.
Don’t miss this chance to improve your cybersecurity posture and resilience!
Blacksuit Ransomware Updated IOCs
I. Targeted Entities
- Healthcare sector
- Education sector
- Government organizations
- Manufacturing industries
- Retail industries
II. Introduction
New Indicators of Compromise associated with BlackSuit ransomware have been found in recent attacks. BlackSuit is a sophisticated cyber threat known for its double extortion tactics, encrypting and exfiltrating victim data to demand ransom.
III. Additional Background Information
BlackSuit ransomware emerged as a prominent threat actor in the cyber landscape in 2023. It is believed to be a direct successor to the Royal ransomware, itself a descendant of the notorious Conti ransomware group. BlackSuit shares significant code similarities with Royal, including encryption algorithms and communication methods, indicating that the operators behind BlackSuit have inherited and improved upon Royal’s techniques. An analysis made by Trend Micro revealed that BlackSuit and Royal ransomware have a high degree of similarity, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps. Additionally, BlackSuit employs command-line arguments like those used by Royal, though with some variations and additional arguments.
This technical sophistication has allowed BlackSuit to conduct multiple high-profile attacks across various sectors since its emergence. Notably, one of the most significant attacks targeted a U.S.-based healthcare provider in October 2023, resulting in severe operational disruptions. The financial losses from this attack were estimated to be in the millions, including ransom payments and the cost of recovery and mitigation. In another incident, an educational institution suffered a data breach, leading to the exposure of sensitive student and staff information.
Financial gain is the primary motivation behind BlackSuit attacks. The group employs double extortion tactics, demanding ransom not only to decrypt the data but also to prevent the leaked data from being publicly released. This strategy increases the pressure on victims to pay the ransom, highlighting the ruthlessness and effectiveness of BlackSuit’s extortion methods.
Tools Used
- Blacksuit ransomware: The main payload used for encrypting victim data.
- Bravura Optitune: Legitimate remote monitoring and management (RMM) software used for maintaining remote access.
- InfoStealer: Malware designed to steal sensitive information, including credentials and financial data.
- NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovering host names and network services.
- Process Explorer: A Microsoft Sysinternals tool that provides detailed information about processes running on a system, used for monitoring and debugging.
- ProcessHacker: A free tool for monitoring system resources, debugging software, and detecting malware.
- PsKill: Microsoft Sysinternals command-line tool used to terminate Windows processes on local or remote systems.
- PsSuspend: Microsoft Sysinternals command-line tool used to suspend processes on a local or remote system.
- PsExec: A Microsoft Sysinternals tool for executing processes on other systems, primarily used by attackers for lateral movement.
- Rclone (suspected): An open-source tool that can manage content in the cloud, often abused by ransomware actors to exfiltrate data from victim machines.
These tools allow BlackSuit to conduct reconnaissance, maintain persistence, and execute their ransomware effectively. The group’s preference for leveraging legitimate software tools makes their activities harder to detect and mitigate. Understanding the tools and methods employed by BlackSuit ransomware is critical for defending against their attacks.
IV. MITRE ATT&CK
- T1057 – Process Discovery
- BlackSuit ransomware operators use tools like Process Explorer to list and monitor active processes. This allows them to identify security software, such as antivirus or endpoint detection and response (EDR) tools, which they may attempt to disable to avoid detection and ensure the success of their attack.
- T1059 – Command and Scripting Interpreter
- BlackSuit ransomware leverages PowerShell scripts to execute commands and payloads on compromised systems. PowerShell is a powerful scripting language built into Windows, which allows for the automation of administrative tasks. By using PowerShell, attackers can download additional payloads, execute them, and carry out further malicious activities without raising immediate suspicion.
- T1082 – System Information Discovery
- BlackSuit may run commands to gather information about the system architecture, OS version, installed software, and hardware details. This information helps attackers tailor their payloads and strategies to the specific environment they are targeting, increasing the chances of a successful attack.
- T1083 – File and Directory Discovery
- BlackSuit ransomware may use commands or scripts to enumerate user directories, document folders, and network shares. This helps them identify valuable files to encrypt, maximizing the impact of their attack and increasing the likelihood that victims will pay the ransom to regain access to their data.
- T1204 – User Execution
- BlackSuit ransomware operators may send phishing emails with malicious attachments or links. These emails are crafted to appear legitimate, often posing as invoices, delivery notifications, or urgent messages that require immediate attention. When the recipient opens the attachment or clicks the link, the ransomware is executed, leading to the infection of their system.
- T1486 – Data Encrypted for Impact
- BlackSuit encrypts critical files on the victim’s system using strong encryption algorithms. After encryption, the attackers demand a ransom for the decryption key needed to restore access to the data. This not only disrupts the victim’s operations but also places them under significant pressure to pay the ransom to recover their data.
- T1490 – Inhibit System Recovery
- BlackSuit ransomware might delete Volume Shadow Copies on Windows systems. Volume Shadow Copies are backup snapshots created by the operating system that allow users to restore their data to a previous state. By deleting these backups, the attackers ensure that victims cannot easily recover their data without paying the ransom, thereby increasing the effectiveness of their extortion.
V. Recommendations
- Hash Blacklisting and Detection Updates:
- Maintain an up-to-date blacklist of known malicious file hashes associated with BlackSuit and other ransomware variants. Use threat intelligence feeds and security vendors’ databases to identify and block these malicious files at the network perimeter and endpoint levels. Ensure that antivirus and anti-malware solutions are set to receive regular updates for detecting new ransomware variants and their associated hashes. Promptly apply these updates to enhance your organization’s capability to detect and prevent ransomware infections.
- Regular Backup and Disaster Recovery Planning:
- Maintain regular backups of critical data and systems, and store them securely, preferably off-site or in a cloud environment with strong encryption. Develop and periodically test a comprehensive disaster recovery plan that includes procedures for restoring data and services in a cyberattack.
- Implement Advanced Threat Intelligence and Information Sharing:
- Subscribe to and actively monitor threat intelligence feeds for the latest information on vulnerabilities and threats. Participate in industry and government cybersecurity information-sharing programs to stay informed about emerging threats and best practices.
- Enhance Incident Response and Forensic Capabilities:
- Develop and maintain a robust incident response plan that includes procedures for containment, eradication, and recovery. Ensure that forensic capabilities are available to investigate and understand the nature and scope of any breach, to improve defenses and prevent future incidents.
- Manage Default Accounts on Enterprise Assets and Software:
- Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
VI. IOCs (Indicators of Compromise)
| File Name | Description | SHA-1 Hash | Virus Total Detections |
|---|---|---|---|
| psexec.exe | PsExec |
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
2 |
| decryptor.exe | Blacksuit Ransomware | 141c7c7a2dea1be7304551a1fa0d4e4736e45b079f48eb8ff4c45d6a033b995a | 51 |
| netscan.exe | NetScan | 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 | 32 |
| sqlite.dll | Suspected information-stealing malware | 5c297d9d50d0a784f16ac545dd93a889f8f11bf37b29f8f6907220936ab9434f | 38 |
| pskill.exe | PsKill | 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42 | 1 |
| rclone.exe | Rclone | d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d | 2 |
| ProcessHacker.exe | ProcessHacker | bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 | 29 |
| Network IOCs | Virus Total Detections |
|---|---|
| 185.73.125[.]96 | 10 |
VII. References
Blacksuit (2024) SentinelOne. Available at: https://www.sentinelone.com/anthology/blacksuit/ (Accessed: 08 June 2024).
Montalbano, E. (2024) BlackSuit claims dozens of victims with ransomware, BlackSuit Claims Dozens of Victims With Ransomware. Available at: https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware (Accessed: 08 June 2024).
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Pagliaroni, Yousef Aref, Abdullah Siddiqi, and Nahyan Jamil.
Critical Update: Resolving the Microsoft Windows and CrowdStrike Outage
Early this morning, a widespread fault with Microsoft Windows machines running the CrowdStrike Falcon agent caused chaos around the globe – grounding flights, taking banks, hospital systems, and media offline, and causing a massive global disruption to companies and services around the world.
What Happened?
Cybersecurity firm CrowdStrike said that the issue believed to be behind the outage was not a security incident or cyberattack — the problem occurred when it deployed a faulty update to computers running Microsoft Windows.
Microsoft stated, “We have been made aware of an issue impacting Virtual Machines running Windows Client and Windows Server, running the CrowdStrike Falcon agent, which may encounter a bug check (BSOD) and get stuck in a restarting state.”
Steps to Resolve the Issue
Microsoft Azure released a fix for this issue. For detailed instructions, visit: https://azure.status.microsoft/en-gb/status
1. Restart Your Virtual Machines
Many users have reported success by repeatedly restarting their VMs. Although it may take multiple attempts (as many as 15 in some cases), this has proven to be an effective troubleshooting step. You can restart your VMs through the Azure Portal or using the Azure CLI:
- Using the Azure Portal: Navigate to your affected VMs and click on ‘Restart.’
- Using the Azure CLI or Azure Shell: Follow the instructions here to restart your VMs: Azure CLI Documentation
2. Restore from a Backup
If you have backups from before 19:00 UTC on July 18th, restoring from these backups is a reliable solution. Here’s how you can do it if you are using Azure Backup:
- Follow the instructions in this guide: How to Restore Azure VM Data
3. Repair the OS Disk
Another option is to repair the OS disk by attaching it to a repair VM. This allows you to delete the problematic file directly. Here are the steps:
- Attach the OS disk to a repair VM through the Azure Portal.
- Navigate to the disk and delete the file located at Windows/System32/Drivers/CrowdStrike/C00000291*.sys.
- Detach the disk and reattach it to the original VM.
For detailed instructions on repairing the OS disk, refer to: Troubleshoot a Windows VM
.sys Removal Script
This script automatically finds and removes the problematic .sys file on the host. This script can be put on a USB drive and executed with administrative privileges for ease of use across multiple systems.
Ongoing Support
The affected update has been pulled by CrowdStrike. Customers that are continuing to experience issues should reach out to CrowdStrike for additional assistance.
Microsoft is continuing to investigate additional mitigation options for customers and will share more information as it becomes known. For current updates, visit: https://azure.status.microsoft/en-gb/status