CRIL discovered a recently identified ransomware group called BlackSuit, which poses a threat to users of both widely used operating systems:-
The Linux version of BlackSuit ransomware resembles the Royal ransomware while maintaining its distinct communication method through an onion site and refraining from disclosing any information about the victims.
Technical Analysis
BlackSuit ransomware, written in C/C++, is a 32-bit executable that employs the GetCommandLineW function to obtain command-line arguments during its execution.
While all these arguments are compared with a list of strings that are predefined, and here they are:-
- -name
- -percentage
- -noprotect
- -disablesafeboot
- -local
- -network
- -delete
- -list
- -p
By setting a flag variable to one upon detecting a match, the strings recognized as command-line parameters specify the activities the ransomware executable executes while operating.
During runtime, the ransomware executable performs its operations based on the provided command-line parameters, including the mandatory “-name” parameter containing a unique 32-character identifier for each victim required to execute the ransomware binary.
While the ransomware can launch multiple instances when the “-noprotect” parameter is used, it utilizes the CreateMutexW() function, with the mutex name determined by the “-name” parameter, if this parameter is not included.
The ransomware checks for the existence of a mutex with the same name by retrieving an error value with the GetLastError() function. If an error value of 183 is returned, implying that the mutex already exists, the ransomware terminates its execution, Researchers said.
After verifying that the “local” parameter flag variable is zero, the ransomware creates a thread using the CreateThread() function to list all the network devices.
Apart from this, to list all the files and directories it has been observed that the ransomware makes use of two specific API functions for the initiation of the encryption process, and here they are:-
- FindFirstFileW()
- FindNextFileW()
While the BlackSuit ransomware in its Linux variant is a 64-bit ELF executable that is compiled with GCC, featuring multiple command-line parameters that offer diverse functionalities, control, and operational capabilities.
Here below we have mentioned all the command line parameters that are used by this variant of BlackSuit ransomware:-
- -name
- -percent
- -p
- -thrcount
- -skip
- -killvm
- -allfies
- -noprotect
- -vmsyslog
- -demonoff
The ransomware terminates the “vmsyslog” service using the “-vmsyslog” parameter, which generates logs for VMware virtual machines. This action hinders monitoring and detecting irregularities in the virtual machines’ operation.
The ransomware utilizes the “-killvm” parameter to terminate active VMware virtual machines (VMs), allowing their files to be encrypted.
It also excludes specific files, such as system files, already encrypted files, and ransom notes, from the encryption process to preserve their accessibility. Furthermore, the “-vmonly” parameter limits the encryption to files associated exclusively with VMware virtual machines.
While encrypting the files, the ransomware drops a ransom note with payment instructions and a Tor link to communicate with the attacker.
Ransom Note
Once files have been encrypted, BlackSuit ransomware adds the “.BlackSuit” extension to their name and deposits a ransom note called “README.BlackSuit.txt” in each directory it passes through.
The program first checks for the parameter “-disablesafeboot” and disables safe boot mode if it’s present by using “bcdedit.exe” utility. It then determines if the OS is 64-bit and calls the 64-bit version of “bcdedit.exe” if needed. Finally, it triggers an immediate system restart using “shutdown.exe” with the arguments “/r /t 0”.
The ransomware checks if the “delete” parameter is used and deletes itself to remove evidence. It achieves this by employing a batch script with an infinite loop. The loop searches for the file “f” and deletes it repeatedly until it is removed or the script is stopped, ensuring a clean trace-free removal.
Recommendations
Here below we have mentioned all the recommendations offered by the cybersecurity analysts at CRIL:-
- Make sure to implement secure offline/ separate network backups.
- Always monitor for early threat indicators and take necessary action.
- Enforce regular password changes or implement multi-factor authentication.
- Reduce attack surface, by avoiding the exposure of sensitive ports to the Internet.
- Deploy cybersecurity awareness programs for employees, third parties, and vendors.
- Make sure to implement risk-based process for identifying and prioritizing critical vulnerabilities.
- Always verify authenticity before opening untrusted links and email attachments.
- Deploy reputable security software on company devices.
- Enable automatic software updates on all connected devices.