BlackSuit ransomware, a rebranded version of the infamous Royal ransomware, emerged in May 2023. This strategic rebranding was an attempt to evade intensified law enforcement scrutiny. Originating from the notorious Conti ransomware gang, BlackSuit quickly targeted high-profile sectors such as healthcare, education, and critical infrastructure, causing widespread disruptions and significant financial losses.
Tactics, Techniques, and Procedures
BlackSuit ransomware employs a multifaceted approach to maximize the impact of their attacks:
1. Initial Access
- Phishing Campaigns: Utilizing highly targeted phishing emails to deceive recipients into clicking on malicious links or downloading infected attachments. T1566
- Exploitation of Vulnerabilities: Targeting unpatched vulnerabilities in software and hardware to gain unauthorized access and establish a foothold within the network. T1190
2. Execution
- Living off the Land (LotL): Leveraging legitimate administrative tools to conduct malicious activities, making detection more challenging.
- Use of Third-Party Tools: Utilizing legitimate software like Chisel and Cloudflared for network tunneling, and AnyDesk and MobaXterm for remote access and control. T1219
3. Persistence
- Credential Dumping: Extracting credentials from memory, files, and the registry using tools like Mimikatz. T1003.001
- Establishing Persistence: Creating scheduled tasks or using registry keys to maintain their presence on compromised systems.
4. Privilege Escalation
- Exploiting Vulnerabilities: Taking advantage of privilege escalation vulnerabilities to gain higher-level access within the network.
- Credential Reuse: Using stolen credentials to move laterally across the network and compromise additional systems. T1078
5. Defense Evasion
- Disabling Security Tools: Attempting to disable antivirus software, firewalls, and other security tools to avoid detection. T1562.001
- Obfuscation: Employing obfuscation techniques to hide malicious code and evade signature-based detection mechanisms.
6. Exfiltration and Impact
- Data Exfiltration: Exfiltrating sensitive data before encrypting files to use as leverage in dual extortion schemes. T1567
- File Encryption: Utilizing robust encryption algorithms to lock the victim's files, rendering them inaccessible without the decryption key. T1486
Indicators of Compromise
Security teams should monitor for the following IOC categories: phishing domains used in campaigns, unusual activity involving network tunneling tools (Chisel, Cloudflared), unexpected use of remote access tools (AnyDesk, MobaXterm), and file extensions or naming conventions indicative of BlackSuit's encryption process.
How Mjolnir Security Can Help
Mjolnir Security offers a comprehensive suite of services to protect against threats like BlackSuit ransomware:
- Incident Response and Threat Analysis: Our experienced team rapidly identifies and mitigates threats, minimizing damage and downtime.
- Proactive Threat Hunting and Monitoring: Continuous monitoring of network activity to detect and respond to malicious activities in real time.
- Vulnerability Management and Patch Deployment: Regular assessments to identify and remediate vulnerabilities in software and hardware.
- Employee Training and Awareness Programs: Comprehensive training programs to educate staff on phishing techniques and social engineering tactics.
- Robust Backup and Recovery Solutions: Implementing encrypted and immutable offline backups to ensure data can be restored without paying a ransom.
- Multi-Factor Authentication and Network Segmentation: Enforcing MFA across all critical systems and isolating critical networks to limit lateral movement.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts