BlackSuit ransomware is a fairly novel malware and double-extortion threat group initially tracked as Royal ransomware since September 2022. A rebrand and evolution of Royal (itself a derivative of the defunct Conti gang), its members have significant attack pedigree and expertise. Making use of some uniquely innovative attack and extortion methods, they extract significant ransom payments from victim organizations.
Description:
Known as BlackSuit since around March 2023, the group targeted both Windows and Linux enterprise systems (including ESXi servers) with unwanted access, data extraction, and file encryption. The group employs a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This leads to faster encryption operations and better detection evasion, while still impacting operations. The victims are left a ransom note with contact information, though the group typically doesn’t share ransom amounts at this stage; instead, they require direct communication through their .onion Tor URL before making their monetary demands.
As is standard in the double-extortion model, the claims of data decryption are also paired with threats of internal data leak. Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. The group has demanded over $500 million USD in total and the largest individual ransom demand was $60 million. Unusually, there have been several reported instances of a group representative contacting victims directly (through telephone or email) to inform them of the compromise and make ransom demands.
The group is known to gain initial access through means of phishing, VPN misconfigurations, and Cobalt Strike Beacons. Through PsExec and abuse of unsecured RDP and SMB services, they advance through internal networks and acquire better access. With Cobalt Strike and SystemBC and command-and-control centers, they acquire and exfiltrate wanted data, followed by the encryption process.
Recommendations:
To prevent BlackSuit and other ransomware attacks, it is recommended to take the following measures:
- Back up your data regularly and store it offline or separately, to restore it without paying the ransom if infection occurs.
- Install updates for operating systems, software and firmware as soon as they are released.
- Require phishing-resistant, non-SMS-based multi-factor authentication for as many services as possible.
- Limit user privileges and access to the minimum necessary for their roles. This can reduce the risk of ransomware spreading to other devices or systems through compromised accounts.
- Use secure passwords to avoid credential leakage.
- Educate users to both recognize and report phishing attempts.
If compromise is detected, organizations should:
- Quarantine or take potentially affected hosts offline.
- Reimage compromised hosts.
- Provision new account credentials.
- Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
References:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
- https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksuit
- https://www.reliaquest.com/blog/blacksuit-attack-analysis/
- https://thedfirreport.com/2024/08/26/blacksuit-ransomware/
- https://cyble.com/blog/blacksuit-ransomware-strikes-windows-and-linux-users/
