I. Targeted Entities
- Healthcare sector
- Education sector
- Government organizations
- Manufacturing industries
- Retail industries
II. Introduction
New Indicators of Compromise associated with BlackSuit ransomware have been found in recent attacks. BlackSuit is a sophisticated cyber threat known for its double extortion tactics, encrypting and exfiltrating victim data to demand ransom.
III. Additional Background Information
BlackSuit ransomware emerged as a prominent threat actor in the cyber landscape in 2023. It is believed to be a direct successor to the Royal ransomware, itself a descendant of the notorious Conti ransomware group. BlackSuit shares significant code similarities with Royal, including encryption algorithms and communication methods, indicating that the operators behind BlackSuit have inherited and improved upon Royal’s techniques. An analysis made by Trend Micro revealed that BlackSuit and Royal ransomware have a high degree of similarity, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps. Additionally, BlackSuit employs command-line arguments like those used by Royal, though with some variations and additional arguments.
This technical sophistication has allowed BlackSuit to conduct multiple high-profile attacks across various sectors since its emergence. Notably, one of the most significant attacks targeted a U.S.-based healthcare provider in October 2023, resulting in severe operational disruptions. The financial losses from this attack were estimated to be in the millions, including ransom payments and the cost of recovery and mitigation. In another incident, an educational institution suffered a data breach, leading to the exposure of sensitive student and staff information.
Financial gain is the primary motivation behind BlackSuit attacks. The group employs double extortion tactics, demanding ransom not only to decrypt the data but also to prevent the leaked data from being publicly released. This strategy increases the pressure on victims to pay the ransom, highlighting the ruthlessness and effectiveness of BlackSuit’s extortion methods.
Tools Used
- Blacksuit ransomware: The main payload used for encrypting victim data.
- Bravura Optitune: Legitimate remote monitoring and management (RMM) software used for maintaining remote access.
- InfoStealer: Malware designed to steal sensitive information, including credentials and financial data.
- NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovering host names and network services.
- Process Explorer: A Microsoft Sysinternals tool that provides detailed information about processes running on a system, used for monitoring and debugging.
- ProcessHacker: A free tool for monitoring system resources, debugging software, and detecting malware.
- PsKill: Microsoft Sysinternals command-line tool used to terminate Windows processes on local or remote systems.
- PsSuspend: Microsoft Sysinternals command-line tool used to suspend processes on a local or remote system.
- PsExec: A Microsoft Sysinternals tool for executing processes on other systems, primarily used by attackers for lateral movement.
- Rclone (suspected): An open-source tool that can manage content in the cloud, often abused by ransomware actors to exfiltrate data from victim machines.
These tools allow BlackSuit to conduct reconnaissance, maintain persistence, and execute their ransomware effectively. The group’s preference for leveraging legitimate software tools makes their activities harder to detect and mitigate. Understanding the tools and methods employed by BlackSuit ransomware is critical for defending against their attacks.
IV. MITRE ATT&CK
- T1057 – Process Discovery
- BlackSuit ransomware operators use tools like Process Explorer to list and monitor active processes. This allows them to identify security software, such as antivirus or endpoint detection and response (EDR) tools, which they may attempt to disable to avoid detection and ensure the success of their attack.
- T1059 – Command and Scripting Interpreter
- BlackSuit ransomware leverages PowerShell scripts to execute commands and payloads on compromised systems. PowerShell is a powerful scripting language built into Windows, which allows for the automation of administrative tasks. By using PowerShell, attackers can download additional payloads, execute them, and carry out further malicious activities without raising immediate suspicion.
- T1082 – System Information Discovery
- BlackSuit may run commands to gather information about the system architecture, OS version, installed software, and hardware details. This information helps attackers tailor their payloads and strategies to the specific environment they are targeting, increasing the chances of a successful attack.
- T1083 – File and Directory Discovery
- BlackSuit ransomware may use commands or scripts to enumerate user directories, document folders, and network shares. This helps them identify valuable files to encrypt, maximizing the impact of their attack and increasing the likelihood that victims will pay the ransom to regain access to their data.
- T1204 – User Execution
- BlackSuit ransomware operators may send phishing emails with malicious attachments or links. These emails are crafted to appear legitimate, often posing as invoices, delivery notifications, or urgent messages that require immediate attention. When the recipient opens the attachment or clicks the link, the ransomware is executed, leading to the infection of their system.
- T1486 – Data Encrypted for Impact
- BlackSuit encrypts critical files on the victim’s system using strong encryption algorithms. After encryption, the attackers demand a ransom for the decryption key needed to restore access to the data. This not only disrupts the victim’s operations but also places them under significant pressure to pay the ransom to recover their data.
- T1490 – Inhibit System Recovery
- BlackSuit ransomware might delete Volume Shadow Copies on Windows systems. Volume Shadow Copies are backup snapshots created by the operating system that allow users to restore their data to a previous state. By deleting these backups, the attackers ensure that victims cannot easily recover their data without paying the ransom, thereby increasing the effectiveness of their extortion.
V. Recommendations
- Hash Blacklisting and Detection Updates:
- Maintain an up-to-date blacklist of known malicious file hashes associated with BlackSuit and other ransomware variants. Use threat intelligence feeds and security vendors’ databases to identify and block these malicious files at the network perimeter and endpoint levels. Ensure that antivirus and anti-malware solutions are set to receive regular updates for detecting new ransomware variants and their associated hashes. Promptly apply these updates to enhance your organization’s capability to detect and prevent ransomware infections.
- Regular Backup and Disaster Recovery Planning:
- Maintain regular backups of critical data and systems, and store them securely, preferably off-site or in a cloud environment with strong encryption. Develop and periodically test a comprehensive disaster recovery plan that includes procedures for restoring data and services in a cyberattack.
- Implement Advanced Threat Intelligence and Information Sharing:
- Subscribe to and actively monitor threat intelligence feeds for the latest information on vulnerabilities and threats. Participate in industry and government cybersecurity information-sharing programs to stay informed about emerging threats and best practices.
- Enhance Incident Response and Forensic Capabilities:
- Develop and maintain a robust incident response plan that includes procedures for containment, eradication, and recovery. Ensure that forensic capabilities are available to investigate and understand the nature and scope of any breach, to improve defenses and prevent future incidents.
- Manage Default Accounts on Enterprise Assets and Software:
- Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
VI. IOCs (Indicators of Compromise)
| File Name | Description | SHA-1 Hash | Virus Total Detections |
|---|---|---|---|
| psexec.exe | PsExec |
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
2 |
| decryptor.exe | Blacksuit Ransomware | 141c7c7a2dea1be7304551a1fa0d4e4736e45b079f48eb8ff4c45d6a033b995a | 51 |
| netscan.exe | NetScan | 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 | 32 |
| sqlite.dll | Suspected information-stealing malware | 5c297d9d50d0a784f16ac545dd93a889f8f11bf37b29f8f6907220936ab9434f | 38 |
| pskill.exe | PsKill | 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42 | 1 |
| rclone.exe | Rclone | d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d | 2 |
| ProcessHacker.exe | ProcessHacker | bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 | 29 |
| Network IOCs | Virus Total Detections |
|---|---|
| 185.73.125[.]96 | 10 |
VII. References
Blacksuit (2024) SentinelOne. Available at: https://www.sentinelone.com/anthology/blacksuit/ (Accessed: 08 June 2024).
Montalbano, E. (2024) BlackSuit claims dozens of victims with ransomware, BlackSuit Claims Dozens of Victims With Ransomware. Available at: https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware (Accessed: 08 June 2024).
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Pagliaroni, Yousef Aref, Abdullah Siddiqi, and Nahyan Jamil.