Verticals Targeted: Critical Infrastructure, Healthcare, Government, Manufacturing
Key Takeaways
What is BlackSuit?
BlackSuit is a ransomware family that targets both Windows and Linux systems. Last year we reported on BlackSuit and referenced a Trend Micro report that highlighted the similarities between BlackSuit and Royal ransomware. We included BlackSuit in our 2024 Malware to Watch, noting our analysts expected BlackSuit to continue Royal’s trajectory of widespread targeting, including targeting of critical infrastructure entities. A recent joint advisory published by CISA and the FBI confirmed BlackSuit is a rebrand of Royal. The advisory also highlighted new BlackSuit ransomware activity. Recent BlackSuit targets have included critical infrastructure entities in the healthcare, government, and manufacturing verticals.
Royal ransomware was first seen in the wild in early 2022. It was linked by Microsoft to a threat actor group tracked as DEV-0569. In early 2023, a new Linux variant of Royal ransomware was discovered that targeted Linux systems and ESXi servers. BlackSuit ransomware emerged in 2023, and industry researchers noted the similarities between Royal and BlackSuit.
BlackSuit has been observed using several methods to obtain initial access. Their most common method is phishing, using malicious PDFs to trick unwitting victims into installing malware. The second most common method is RDP. They are also known to exploit vulnerable public-facing applications and use the services of initial access brokers.
When initial access has been established, the threat actors download multiple tools from the C2. Tools used for C2 communication include but are not limited to Chisel, SSH, PuTTY, OpenSSH, and MobaXterm. For lateral movement, BlackSuit uses RDP, PSExec, and SMB. To maintain persistence, BlackSuit uses RMM software or uses SystemBC and Gootloader to load additional tools. For enumeration, BlackSuit uses SharpShares, SoftPerfect NetWorx, Mimikatz, and Nirsoft tools.
BlackSuit steals victim data then exfiltrates it to the C2. For exfiltration, the threat actors use Cobalt Strike, Ursnif, Gozi, RClone, and Brute Ratel. Prior to encrypting victim files, BlackSuit deletes shadow copies to hinder file recovery. BlackSuit employs a partial encryption approach that allows threat actors to choose the amount of data in a file to encrypt. This fractional encryption increases the speed and efficiency of encryption and helps evade detection. BlackSuit uses double extortion tactics, threatening to publicly release stolen data if a victim does not pay the ransom. BlackSuit’s ransom demands have ranged from $1-10 million USD, with some demands as high as $60 million USD.
IOCs
PolySwarm has multiple samples associated with BlackSuit activity.
B57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c
4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e
13d12091f39649493eab3cf0e56681e1ff0d8b982b85af65a0b2dd89532003a6
91605641a4c7e859b7071a9841d1cd154b9027e6a58c20ec4cadafeaf47c9055
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee
You can use the following CLI command to search for all BlackSuit samples in our portal:
$ polyswarm link list -f BlackSuit
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.