BlackSuit Ransomware Group | |
Other Names | BlackSuit, Black Suit, BlackSuit Virus |
Location | Unknown |
Date of initial activity | 2023 |
Suspected attribution | Unknown |
Associated Groups | Royal ransomware |
Motivation | Financial gain. Files are encrypted and locked until the ransom is paid. BlackSuit operates using a double extortion method, encrypting and exfiltrating victim data on public data leak sites for those victims who fail to comply with their demands. |
Associated tools | BlackSuit ransomware |
Active | Yes |
Overview
The BlackSuit ransomware operation emerged in early April/May of 2023. The group is a multi-pronged extortion outfit, encrypting and exfiltrating victim data and hosting public data leak sites for those victims that fail to comply with their demands. BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a compromised network.
The group is known for significant attacks against entities in the healthcare and education sectors, along with other critical industries. BlackSuit is a private operation in that there are no public affiliates.
BlackSuit payloads contain many technical similarities to Royal ransomware payloads such as similar encryption mechanisms and command-line parameters.
Common targets
Large enterprises and small to medium-sized businesses (SMBs) are targeted, though there does not appear to be any specific discrimination when it comes to industry or type of target. To date, BlackSuit targeting has favored those in the healthcare, education, information technology (IT), government, retail, and manufacturing industries.
Attack Vectors
Payloads are delivered via phishing email or third party framework (e.g., Empire, Metasploit, Cobalt Strike). The use of malicious torrent files has also been observed as a delivery vector for BlackSuit ransomware.
How they operate
The group emerged with payloads that support both Windows and Linux operating systems. Payloads are delivered via phishing email or third party framework (e.g., Empire, Metasploit, Cobalt Strike). The use of malicious torrent files has also been observed as a delivery vector for BlackSuit ransomware.
BlackSuit payloads, on both Windows and Linux, utilize OpenSSL’s implementation of AES for data encryption, which supports the intermittent encryption options (-percent option). Linux payloads have the ability to target and manipulate VMWare ESXi servers, via the -killvm option, for example.
BlackSuit encryption is extremely rapid. Local logical drive details are obtained upon launch at which time the ransomware will very quickly process through available files and folders on all reachable volumes.
On Windows systems, the ransomware will attempt to inhibit system recovery by removing Volume Shadow Copies (VSS). This is handled via a hidden shell command which launches VSSADMIN.EXE with the /ALL and /Quiet options.
BlackSuit ransom notes are written to all folders which contain encrypted items. The ransom notes are written as “README.BlackSuit.txt”.
Once the ransomware infects a system, it uses the FindFirstFileW() and FindNextFileW() API functions to enumerate the files and directories, and initiates the encryption process. BlackSuit ransomware uses the Advanced Encryption Standard (AES) algorithm to encrypt files.
The AES algorithm is a symmetric encryption algorithm that is widely used for encrypting data. BlackSuit ransomware uses OpenSSL’s AES for encryption, and leverages similar intermittent encryption techniques for fast and efficient encryption of victim files.
If the victim fails to comply with their demands, BlackSuit will exfiltrate their data on public data leak sites.
Defense and Mitigations
Organizations can defend against ransomware attacks by implementing a comprehensive security
framework that directs resources towards establishing a strong defense strategy. Here are some
recommendations:
• Create an inventory of assets and data
• Identify authorized and unauthorized devices and software
• Conduct audits of event and incident logs
• Manage hardware and software configurations
• Grant administrative privileges and access only when necessary
• Monitor network ports, protocols, and services
• Establish a whitelist of approved software applications
• Implement measures for data protection, backup, and recovery
• Enable multi-factor authentication (MFA)
• Deploy up-to-date security solutions across all system layers
• Remain vigilant for early indications of an attack
Significant Attacks
- BlackSuit Ransomware lays claim to an early November cyberattack still disrupting the Henry County School system. (December 2023)
- BlackSuit Ransomware claims attack on Group Health Cooperative of South Central Wisconsin. (April 2024)
References:
- GHC-SCW: Ransomware gang stole health data of 533,000 people
- Georgia county school district claimed by BlackSuit ransom gang
- Royal ransomware gang adds BlackSuit encryptor to their arsenal
- Investigating BlackSuit Ransomware’s Similarities to Royal
- BlackSuit Ransomware: In-Depth Analysis, Detection, and Mitigation
- BlackSuit Ransomware
