Summary:
CISA and the FBI have updated a joint advisory released back in March 2023 on the Royal ransomware group, highlighting that the gang has now rebranded into the BlackSuit operation. BlackSuit which is an evolution of the Royal ransomware, has been observed in attacks from September 2022 through June 2023 and shares numerous code similarities with Royal ransomware while exhibiting improved capabilities. To date, BlackSuit has demanded as much as $500 million in ransoms, with the largest individual demand being $60 million. To help network defenders, the agencies have published updated BlackSuit tactics, techniques, and procedures, as well as IOCs and YARA rules.

Security Officer Comments:
Phishing emails seem to be the most successful initial access vector for BlackSuit, followed by the abuse of Remote Desktop Protocol (RDP) and exploitation of public-facing applications. According to the advisory, Royal threat actors have historically used RDP and legitimate operating system diagnostic tools to facilitate lateral movement. While this is the same for BlackSuit, the gang also uses SMB to move laterally across victim environments. In one case confirmed by the agencies, BlackSuit actors used a legitimate admin account to remotely log on to the domain controller via SMB. Once on the domain controller, the threat actor deactivated antivirus software by modifying Group Policy Objects.

Like most ransomware operations, data theft and exfiltration are a common practice implemented by BlackSuit actors in attacks. Notably, BlackSuit has been observed using publicly available credential-stealing tool Mimikatz, and password-harvesting tools from Nirsoft to steal credentials of interest. Tools like Cobalt Strike and Ursnif/Gozi have been further used for data aggregation and exfiltration. As a ransomware operation, the ultimate object of BlackSuit is to encrypt files on targeted systems, which can be further held hostage for ransom demands. According to CISA and the FBI, BlackSuit uses a unique partial encryption approach that enables the threat actor to choose a specific percentage of data in a file to encrypt. “This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection, and also significantly improves ransomware speed.”

Suggested Corrections:
Actions for Organizations to Take Today to Mitigate Cyber Threats Related to BlackSuit Ransomware Activity:

• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.

Link(s):
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a