BlackSuit Ransomware Continues Rampage, Linked to Royal's Legacy

Category: Ransomware News | Industry: Global | Source: CISA

New updates reveal the high-caliber BlackSuit ransomware gang as an evolved threat from the previously known Royal ransomware, marking an escalation in ransomware activities. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) highlight in their joint advisory, "BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which operated from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities." Their impact on the threat landscape is marked by their enhanced capabilities and staggering ransom demands. "Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million." Such figures highlight the severity and financial motivations behind these attacks, with total demands exceeding $500 million. As with most ransomware gangs, BlackSuit operators use a double-extortion model, exfiltrating data before encryption to maximize their leverage for ransom payments.

BlackSuit actors exploit various initial access vectors to infiltrate networks, prominently utilizing phishing, followed by Remote Desktop Protocol (RDP), the second most used method. Other means, such as exploiting public-facing applications and working with initial access brokers, are also viable options for the BlackSuit actors. This is complemented by the use of multiple command and control techniques using tools like Chisel and SSH clients, which facilitate deeper network penetration and data access. For lateral movement and maintaining persistence within compromised networks, the actors leverage RDP in conjunction with tools such as PsExec and SMB. They can further solidify their access by deploying remote access software like AnyDesk and Atera. To hinder defenses, Group Policy Objects and antivirus solutions are often modified, showcasing their methodical approach to avoid detection and maintain control.

BlackSuit actors employ a range of discovery and credential access techniques, including the use of Advanced IP Scanner and AdFind, to map out the network environment and harvest valuable credentials with tools like Mimikatz. Utilities from Nirsoft, like Nircmd, are notable tools utilized by the operators. BlackSuit operators drop various scripts (bat, Powershell), executables, and various other files found to be dropped in directories such as C:\Temp\, C:\Users\<user>\AppData\Roaming\, C:\Users\<users>\, C:\ProgramData\ and Root C:\. Their dropped payloads and scripts achieve a range of tasks from reconnaissance to preventing the system from entering sleep and creating new accounts for persistent access.

The culmination of their attack involves extensive use of data exfiltration tools such as Rclone and Brute Ratel, highlighting their capability to perform large-scale theft prior to deploying ransomware. These steps underscore the critical nature of their operations and the sophisticated integration of multiple attack vectors to maximize impact.

In response to the rising threat posed by BlackSuit, CISA and the FBI urge organizations to adopt mitigation strategies to reduce the risk and impact of ransomware incidents. These include implementing strong phishing defenses, securing RDP access, and ensuring timely patching of public-facing applications. Additionally, organizations are encouraged to maintain offline, encrypted backups of data and enforce stringent network segmentation to limit the spread of ransomware. By understanding the advanced TTPs used by BlackSuit actors, network defenders can better prepare and protect against these evolving ransomware threats.