Difenda is issuing this advisory to inform stakeholders about significant developments regarding the BlackSuit ransomware, formerly known as Royal ransomware. The ransomware group, linked to over $500 million in ransom demands, has shown increasing sophistication and aggressive tactics. The rebranding to BlackSuit, which occurred in mid-2023, marks an evolution in their attack methods and tools. This advisory consolidates the latest findings and provides actionable recommendations to mitigate the threat posed by this ransomware.

BlackSuit Ransomware Threat Update Technical Overview

The BlackSuit ransomware gang, a successor to the notorious Conti syndicate, has been active since January 2022, initially under the name Quantum ransomware. They transitioned to Royal ransomware in September 2022 and rebranded to BlackSuit in June 2023. The ransomware has targeted over 350 organizations across various sectors, including healthcare, government, critical manufacturing, and commercial facilities.

Key Characteristics:

  • Ransom Demands: Typically range from $1 million to $10 million, with payment demanded in Bitcoin. The total ransom demanded exceeds $500 million, with the highest individual ransom reaching $60 million.
  • Attack Vectors: Initial access is often gained via phishing emails, Remote Desktop Protocol (RDP), exploitation of vulnerable internet-facing applications, and purchases from initial access brokers (IABs).
  • Tactics, Techniques, and Procedures (TTPs):
    • Persistence: Use of legitimate remote monitoring and management (RMM) software, SystemBC, GootLoader malware, SharpShares, and SoftPerfect NetWorx.
    • Credential Theft: Tools like Mimikatz and Nirsoft’s password harvesting tools.
    • System Disruption: Use of PowerTool and GMER to kill system processes.
  • Notable Incidents: The BlackSuit ransomware was behind the significant IT outage at CDK Global, impacting over 15,000 car dealerships across North America and forcing operations to revert to manual processes.

Recent Developments:

  • Negotiation Tactics: BlackSuit actors interact directly with victims via a .onion URL for ransom negotiations, showcasing a willingness to negotiate payment amounts.
  • Pressure Tactics: Increasingly aggressive methods, including telephonic or email communications to victims, threats to secondary victims, and leveraging stolen data to highlight unethical behavior or regulatory non-compliance.

What Our Threat Intelligence Team is Seeing

Microsoft Defender Antivirus  

Microsoft Defender Antivirus detects threat components as the following malware:  

  • Behavior:Win32/CobaltStrike
  • Backdoor:Win64/CobaltStrike
  • HackTool:Win64/CobaltStrike
  • HackTool:Win32/Mimikatz 
  • HackTool:Win64/Mimikatz
  • Ransom:Win32/BlackSuit
  • Ransom:Win64/Ransomhub

Microsoft Defender for Endpoint   

The following alerts can indicate threat activity associated with BlackSuit. 

  • File dropped and launched from remote location
  • Suspicious usage of remote management software
  • Tampering activity typical to ransomware attacks
  • Suspected delivery of Gootkit malware

What We Suggest to Mitigate the BlackSuit Ransomware Threat Update

  • Enhance Email Security:
    • Implement advanced email filtering solutions to detect and block phishing attempts.
    • Conduct regular phishing awareness training for employees.
  • Secure Remote Access:
    • Restrict RDP access and use multi-factor authentication (MFA) for remote logins.
    • Regularly update and patch internet-facing applications to prevent exploitation of vulnerabilities.
  • Deploy Endpoint Protection:
    • Utilize robust endpoint detection and response (EDR) solutions to detect and mitigate malicious activities.
    • Ensure antivirus software is up to date and capable of detecting BlackSuit-related tools and malware.
  • Network Segmentation and Monitoring:
    • Implement network segmentation to limit lateral movement within the network.
    • Monitor network traffic for signs of unauthorized access or data exfiltration.
  • Backup and Recovery:
    • Regularly back up critical data and ensure backups are stored offline and are tested for integrity.

DIFEND WITH CONFIDENCE

Know The Threats That Matter Right Now—Get Advisories Direct to Your Inbox