The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued an advisory to alert organizations about the BlackSuit ransomware.
This FBI and CISA advisory includes details on the indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with BlackSuit ransomware, as identified through FBI threat response activities and third-party reporting as recently as July 2024.
BlackSuit ransomware is an evolution of the previously known Royal ransomware, which was active from September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware but has demonstrated enhanced capabilities. This evolution signifies a significant threat as BlackSuit continues to target organizations through sophisticated attack vectors.
How BlackSuit Ransomware Operates
The advisory issued by the FBI and CISA provides detailed insights into the technical mechanisms used by BlackSuit ransomware.
This ransomware conducts data exfiltration and extortion prior to encryption, publishing victim data on a leak site if ransom demands are not met. The ransomware primarily gains initial access through phishing emails, where unsuspecting victims are tricked into downloading malicious attachments. Once inside a network, BlackSuit actors disable antivirus software, exfiltrate significant amounts of data, and ultimately deploy the ransomware to encrypt systems.
This method helps evade detection and significantly improves encryption speed. BlackSuit actors engage in double extortion tactics, threatening to release exfiltrated data publicly if the ransom is not paid.
Here is the detailed description:
Data Exfiltration and Extortion: BlackSuit ransomware follows a double extortion model, where it exfiltrates data before encrypting it. If the ransom is not paid, the threat actors threaten to publish the stolen data on a leak site. This tactic increases pressure on victims to comply with ransom demands.
Initial Access: Phishing emails are the primary method used by BlackSuit actors to gain initial access to victim networks. These emails often contain malicious PDF documents or links to malvertising sites. Other access methods include Remote Desktop Protocol (RDP) compromise, exploiting vulnerabilities in public-facing applications, and leveraging initial access brokers to obtain VPN credentials from stealer logs.
Command and Control: After gaining access, BlackSuit actors establish communication with their command and control (C2) infrastructure using legitimate Windows software repurposed for malicious activities. Tools historically used include Chisel, Secure Shell (SSH) clients, PuTTY, OpenSSH, and MobaXterm.
Lateral Movement and Persistence: BlackSuit actors move laterally within a network using RDP, PsExec, and Server Message Block (SMB). They maintain persistence through the use of legitimate remote monitoring and management (RMM) software and malware like SystemBC and Gootloader.
Discovery and Credential Access: The actors utilize tools like SharpShares and SoftPerfect NetWorx to enumerate networks. Credential-stealing tools such as Mimikatz and Nirsoft’s utilities have been found on compromised systems. They also use PowerTool and GMER to kill system processes.
Exfiltration and Encryption: Before encryption, BlackSuit actors use tools like Cobalt Strike and malware such as Ursnif/Gozi to aggregate and exfiltrate data. They employ RClone and Brute Ratel for exfiltration. To maximize the impact, they use Windows Restart Manager to check file usage, delete volume shadow copies using vssadmin.exe, and execute batch files to manage the encryption process.
BlackSuit Ransom Demands and Communication
Ransom demands by BlackSuit actors typically range from $1 million to $10 million USD, with payments required to be made in Bitcoin. To date, the actors have demanded over $500 million USD collectively, with the highest individual ransom demand being $60 million.
Notably, BlackSuit actors are willing to negotiate the ransom amounts. While the ransom amount is not included in the initial ransom note, victims are directed to a .onion URL (accessible via the Tor browser) for further communication and negotiation.
Recently, there has been an increase in instances where victims receive direct communications from BlackSuit actors, either via phone or email, regarding the compromise and ransom demands.
FBI and CISA Recommendations
The FBI and CISA strongly encourage organizations to implement the following recommendations to mitigate the risk and impact of ransomware incidents:
- User Training and Awareness: Educate employees about phishing tactics and encourage them to report suspicious emails.
- Multi-Factor Authentication (MFA): Implement MFA across all user accounts, especially those with administrative privileges.
- Regular Backups: Ensure regular backups of critical data and store them offline to protect against ransomware attacks.
- Network Segmentation: Segment networks to limit the lateral movement of threat actors.
- Patch Management: Regularly update and patch systems, software, and applications to address known vulnerabilities.
- Incident Response Plan: Develop and regularly update an incident response plan that includes procedures for responding to ransomware attacks.
The FBI and CISA’s advisory on BlackSuit ransomware highlights the evolving nature of ransomware threats and the importance of proactive cybersecurity measures. Organizations are urged to review the detailed recommendations and implement robust security practices to defend against such attacks.