The FBI and CISA have alerted organizations about a new ransomware strain known as BlackSuit. This malware is an advanced version of the Royal ransomware, which caused significant disruptions between September 2022 and June 2023. Since becoming active in July 2024, BlackSuit has become a major concern due to its improved capabilities and more sophisticated attack methods. While it has ties to the older Royal ransomware, BlackSuit brings new features that increase its threat level, making it a serious risk for organizations.
How BlackSuit Ransomware Operates
The FBI and CISA have provided a detailed analysis of how BlackSuit operates, outlining the tactics, techniques, and procedures (TTPs) used by this ransomware. BlackSuit first steals data from victims before locking their files through encryption, using a strategy known as double extortion. If the victims do not pay the ransom, the attackers threaten to publicly release the stolen information on a leak site, putting additional pressure on them to meet the demands.
Initial Access
BlackSuit typically gains entry into networks through phishing emails, often disguised as harmless PDF attachments or links to malicious websites.
Besides phishing, the ransomware actors exploit vulnerabilities in publicly accessible applications, compromise Remote Desktop Protocol (RDP) systems, and acquire VPN credentials from initial access brokers.
Command and Control
Once inside a network, BlackSuit establishes communication with its command and control (C2) infrastructure. The ransomware actors repurpose legitimate Windows software like Chisel, PuTTY, OpenSSH, and MobaXterm for malicious activities, complicating the detection process.
Lateral Movement and Persistence
BlackSuit uses tools like RDP, PsExec, and Server Message Block (SMB) to move laterally within a network. It maintains persistence by deploying remote monitoring and management (RMM) software and malware like SystemBC and Gootloader.
Discovery and Credential Access
To gather information about the network, BlackSuit actors use tools such as SharpShares and SoftPerfect NetWorx. They employ credential-stealing utilities like Mimikatz and Nirsoft's tools on compromised systems. Additionally, the actors use PowerTool and GMER to terminate system processes.
Exfiltration and Encryption
Before encrypting files, BlackSuit aggregates and exfiltrates data using tools like Cobalt Strike and malware such as Ursnif/Gozi. RClone and Brute Ratel further facilitate the exfiltration process. To maximize the attack's impact, BlackSuit deletes volume shadow copies using vssadmin.exe and runs batch files to manage the encryption process.
Ransom Demands and Communication
BlackSuit's ransom demands are substantial, typically ranging from $1 million to $10 million USD, with Bitcoin being the preferred payment method. So far, the total ransom demands have exceeded $500 million USD, with some individual demands reaching up to $60 million. BlackSuit actors are open to negotiations, directing victims to a .onion URL for further communication and settlement discussions. In some cases, victims have reported receiving direct contact from the threat actors via phone or email, intensifying the pressure to pay the ransom.
