BlackSuit is a type of ransomware that employs multi-extortion tactics to exfiltrate victim data, extort ransom, and expose the stolen data on its leak site if the ransom is not paid. While it primarily targets the healthcare and public health sectors in the United States, it has also gone after organizations in the manufacturing, retail, and government sectors in other countries. BlackSuit's ransom demands typically range from approximately $1 million to $10 million, usually demanded in Bitcoin.
Origin and evolution
BlackSuit ransomware, which first emerged in April 2023, is considered to share code similarities with the Royal ransomware group, which was identified in early 2022. Royal ransomware, in turn, is considered to be the rebranded remnants of the Conti Ransomware as a Service (RaaS) group, which was shut down in May 2022. While its predecessors operated as RaaS groups, BlackSuit operates as a private ransomware group with no public affiliates.
How BlackSuit ransomware works
1. Initial access
BlackSuit hackers gain initial access to the network via phishing emails, brute-force attacks on RDP accounts, or the exploitation of public-facing applications. It also harvests credentials from stealer logs and exploits VPN accounts that lack multi-factor authentication (MFA).
2. Execution
Once BlackSuit ransomware enters a network, it establishes communication with its command and control (C2) server to download the payload and necessary tools to set up its infrastructure. It leverages tools like Secure Shell (SSH) client, PuTTY, and OpenSSH to communicate with the C2 server.
3. Lateral movement and privilege escalation
Blacksuit exploits RDP and PsExec to move laterally across the network. It employs tools like Mimikatz to harvest credentials and creates new domain and admin accounts that can be leveraged to escalate privileges.
4. Persistence
BlackSuit hackers log on to the domain controller remotely, terminate antivirus software, and kill system processes. To do this, they use tools such as PowerTool and GMER. They also leverage legitimate remote monitoring tools to maintain persistence in the victim's network.
5. Exfiltration and encryption
BlackSuit actors exfiltrate data from victim networks using legitimate cyber penetration testing tools, such as Cobalt Strike. The ransomware encrypts files using AES encryption and deletes the volume shadow copies of the files on the infected device to hinder file recovery and restoration.
BlackSuit ransom demands and its data leak site
BlackSuit actors have demanded over $500 million in total, with the largest individual ransom demand being $60 million. The ransom demand is usually not included in the BlackSuit ransom note. Instead, the demand is directly negotiated with the victim via its data leak site, which is hosted on the TOR network with a .onion URL. When a victim fails to comply with the ransom demands, the attacker releases the victim's details along with the stolen data on the leak site.
How to protect against BlackSuit ransomware
- Employee education: Create awareness among employees on the impact of ransomware and provide training to identify phishing emails, anomalous processes, and malicious executables.
- Vulnerability testing: Conduct vulnerability scans on all network devices, software, and applications, and update their security configurations regularly.
- Risk assessment: IT teams should conduct periodic risk assessments and estimate the risk scores of all users and entities to detect suspicious behavior.
- Email filtering: Phishing emails are common vectors of ransomware that carry malicious URLs, attachments, and executables. Email filtering tools flag emails with suspicious content and block them from your inbox.
- Securing RDP: Implement regular security updates for remote desktop applications, and ensure that VPNs, MFA tools, and firewalls are consistently up to date.
- Traffic analysis: Analyze all incoming and outgoing traffic in the network and block transmissions of data packets that contain sensitive information or malicious files.
- Anomaly detection: Monitor user and entity behavior to flag anomalous activities, like unauthorized access and logons, privilege escalation, and lateral movement within the network.
- File monitoring: Continuously monitor sensitive files, folders, and their backups to detect abnormal file executions, unauthorized access attempts, sudden increases in file encryption, and excessive file renaming.
- Data backup and encryption: Back up files with sensitive data and ensure the safety of the original files and their backups using data encryption techniques.
- Security monitoring: Implement a log management solution or a SIEM solution to gain visibility across the entire network.
Related solutions
ManageEngine Log360 is a comprehensive SIEM solution with advanced ransomware detection and mitigation capabilities. Log360 stands out as one of the best ransomware protection solutions, offering the following features:
- 360-degree network visibility: Log360 provides complete visibility into the network through out-of-the-box audit reports and interactive dashboards on a single console.
- Ransomware detection: Predefined correlation rules and alert profiles for ransomware detection help identify potential ransomware activities in real time.
- User and entity behavior analytics: With its ML-based behavior monitoring capabilities, Log360 detects anomalous activities in the network to identify potential signs of a ransomware attack.
- File monitoring: Log360's file integrity monitoring feature helps monitor unauthorized file accesses, creations, deletions, and modifications to protect sensitive data from ransomware.
- Cloud app security: Log360's CASB capabilities help blocklist suspicious websites and ban malicious applications to secure sensitive cloud data from ransomware threats.
- Ransomware incident response: Its ransomware detection alert profiles include built-in incident response workflows that, when enabled, prevent the propagation of ransomware attacks.
To explore more, sign up for a personalized demo of Log360. Or, you can discover on your own with a fully functional, 30-day, free trial software download.
