BlackSuit ransomware emerged in May 2023 as a rebrand of the Royal ransomware operation, which had been among the most prolific ransomware groups since late 2022. The group behind Royal ransomware was responsible for hundreds of successful attacks worldwide. BlackSuit represents an evolution of the Royal ransomware operation, which was carried out by former Conti ransomware affiliates, known for their advanced capabilities and refined tactics.

BlackSuit operates as an independent group, managing both attacks and ransom negotiations internally without operating as a ransomware-as-a-service (RaaS) model. Their campaigns have impacted organizations across diverse industries worldwide, with total ransom demands surpassing $500 million and the highest known demand for a single incident reaching $60 million.

This group employs a dual-extortion strategy, leveraging both data encryption and exfiltration to coerce victims into paying substantial ransoms under the threat of data leakage.
‍
Key Highlights

‍Targeted Industries:
In Q3, threat actors behind BlackSuit ransomware predominantly targeted organizations in the Transportation & Logistics, Education, Construction & Engineering, Government, and Healthcare sectors within the United States.

Global Insights:
The United States remains the primary focus of BlackSuit ransomware operators, but their reach extends globally. Notable incidents include multiple attacks in Spain, with additional activity observed in Canada, Switzerland, and the Netherlands.

initial Access: ‍

• Remote Desktop Protocol (RDP): Gains unauthorized access to systems using compromised credentials, often in environments without multi-factor authentication (MFA).
• Virtual Private Networks (VPNs): Exploits vulnerabilities in VPN configurations, including unpatched software, misconfigurations, or weak authentication mechanisms. Threat actors may also leverage credentials obtained through breached data, brute-force attacks, or other means.
• Phishing Emails: Delivers initial access tools, such as beacons or loaders, via malicious links or infected attachments. These tools establish a foothold in the environment and can be used to facilitate the later deployment of ransomware.
• Malvertising: Uses malicious advertisements to redirect victims to sites hosting malware.
• Exploitation of Public-Facing Applications: Targets misconfigured, unpatched, or otherwise vulnerable applications exposed to the internet.

Ransomware Payment Demands:
The threat actors deploying BlackSuit ransomware have issued ransom demands as high as $60 million in some cases, though typical demands are generally under $10 million. They have demonstrated a willingness to negotiate, often allowing for substantial reductions.

In cases handled by MOXFIVE, initial ransom demands have been successfully reduced by as much as 75%, significantly lessening the financial burden on victims. These outcomes highlight the importance of strategic negotiation when responding to such incidents.

Data Exfiltration:
BlackSuit ransomware operators employ a double extortion strategy, exfiltrating sensitive data before encrypting systems. If victims refuse to pay the ransom, the stolen data is published on a leak site to increase pressure.

The group employs various tools at different stages of the attack to facilitate unauthorized access, data aggregation, and exfiltration.

Persistence and Command-and-Control (C2):‍

• Cobalt Strike: A legitimate penetration testing tool repurposed for establishing persistence, lateral movement, and data aggregation. It facilitates remote command execution and can be used to orchestrate exfiltration activities.
• Brute Ratel: A sophisticated post-exploitation toolkit used for persistence, C2, and stealthy movement within compromised networks.

Data Collection and Exfiltration:

• Ursnif/Gozi: Malware derivatives designed to harvest sensitive information and facilitate unauthorized data transfers.
• Rclone: An open-source command-line program used to manage files on cloud storage, often repurposed for bulk data exfiltration to cloud services.
  ‍

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.