BlackSuit (Ransomware) – Malware

Overview

The BlackSuit ransomware group and its strain is a relatively new threat actor discovered in early May 2023. The BlackSuit ransomware is a 32-bit executable, coded in C/C++. Its operators are likely experienced, due to the potential ties to Royal (and by default, Conti). Both Royal and the former Conti groups were known to have well-known organizational systems, business models, and skilled operators BlackSuit appends the blacksuit file extension to the files it encrypts, drops its ransom note into the directory, and lists its TOR chat site in the ransom note along with a unique ID for each of its victims. Its operators also set up a data leak site as part of their two-pronged extortion strategy to coerce victims into paying the ransom demand. BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a compromised network. BlackSuit primarily targets Linux and Windows systems, and prevents victims from accessing their files by encrypting them. BlackSuit appends the blacksuit file extension (“.blacksuit”) to the files it encrypts, changes the desktop wallpaper, creates and drops its ransom note (“README.BlackSuit.txt”) into the directory, renames files, and lists its TOR chat site in the ransom note along with a unique ID for each of its victims. Its operators also set up a data leak site as part of their double extortion strategy to coerce victims into paying the ransom demand. The BlackSuit ransom note will make several claims, most notably that essential files have been encrypted and stored on a secure server; therefore, any financial reports, intellectual property, personal files, and other sensitive data have been compromised. Currently, there is no known public decryptor for BlackSuit ransomware available.

Targets

Large enterprises and small to medium-sized businesses (SMBs) are targeted, though there does not appear to be any specific discrimination when it comes to industry or type of target. To date, BlackSuit targeting has favored those in the healthcare, education, information technology (IT), government, retail, and manufacturing industries.

How they operate

Upon execution, the BlackSuit ransomware utilizes the GetCommandLineW function to acquire the command-line arguments. Subsequently, it compares these arguments with a predefined list of strings, such as -name, -percentage, -noprotect, -disablesafeboot, -local, -network, -delete, -list, and -p, setting the associated flag variable to one upon identification. These strings define the operations conducted by the ransomware executable during runtime and can be provided as command-line parameters. For the ransomware binary to execute successfully, it must include the “-name” parameter, which serves as a distinct 32-character identifier assigned to each victim. Following the creation of the mutex, the ransomware verifies whether a mutex with a similar name exists by checking the error value, retrieved through the GetLastError() function. If the error value is 183, indicating that a mutex with the same name already exists, the ransomware will terminate itself. Subsequently, the ransomware checks whether the flag variable for the “-local” parameter has a value of zero, indicating that the parameter was not passed. If this is the case, the ransomware creates a thread using the CreateThread() function for enumerating network devices. After creating a new thread, the ransomware employs the NetShareEnum() API to obtain information about the available network shares on the local system. Once it obtains the list of network shares, the ransomware establishes connections to the administrative (ADMIN$) and interprocess communication (IPC$) shares, enabling lateral movement to infect other systems connected to the same network. The ransomware then checks for the presence of the “-network” parameter. If this parameter is not passed, it proceeds to the function responsible for fetching drive details. This function calls GetLogicalDriveStringsW to retrieve a list of logical drives and then iterates over the list, using the FindFirstFileW() API to search files in the drive. If FindFirstFileW returns a valid handle, it calls the GetDriveTypeW API to determine whether the drive type is removable or fixed. Afterward, the ransomware binary attempts to inhibit system recovery by deleting shadow copies, executing the vssadmin command with the “/All” and “/Quiet” options, deletes the ransomware itself if the “-delete” parameter is provided, and leaves behind a ransom note within the compromised system during the file encryption process. The ransomware drops the ransom note, “README.BlackSuit.txt,” in each traversed directory and renames encrypted files by appending the “.BlackSuit” extension. It then checks for the “-disablesafeboot” parameter; if present, it disables safe boot mode using “bcdedit.exe” with the argument /deletevalue {current} safeboot. Additionally, it detects if the OS is 64-bit, invoking the 64-bit version of “bcdedit.exe” if necessary, and initiates a system shutdown with “shutdown.exe” using the arguments “/r /t 0” for an immediate restart. Afterward, it confirms the presence of the “delete” parameter during execution; if provided, the ransomware deletes itself after encryption, obscuring traces for investigators. Following process termination, the ransomware prepares files for encryption, excluding specific ones like vital system files, previously encrypted files, and its own ransom notes. Furthermore, it offers the “-vmonly” parameter to limit encryption to files related to VMware virtual machines. Upon file preparation, the ransomware generates encryption keys and initiates the encryption process using the AES algorithm. Throughout this process, it leaves a ransom note in the compromised system, providing payment instructions and a Tor link to contact the attacker.

Techniques Used

Execution User Execution (T1204) Command and Scripting Interpreter (T1059) Discovery Process Discovery (T1057) System Information Discovery (T1082) File and Directory Discovery (T1083) Impact Data Encrypted for Impact (T1486) Inhibit System Recovery (T1490)

Tools

A third party framework (e.g., Empire, Metasploit, Cobalt Strike). OpenSSL’s implementation of AES for data encryption.

Defense and Mitigations

Organizations can defend against ransomware attacks by implementing a comprehensive security framework that directs resources towards establishing a strong defense strategy. Here are some recommendations: • Create an inventory of assets and data • Identify authorized and unauthorized devices and software • Conduct audits of event and incident logs • Manage hardware and software configurations • Grant administrative privileges and access only when necessary • Monitor network ports, protocols, and services • Establish a whitelist of approved software applications • Implement measures for data protection, backup, and recovery • Enable multi-factor authentication (MFA) • Deploy up-to-date security solutions across all system layers • Remain vigilant for early indications of an attack

Significant Malware Campaigns

• Tampa Bay Zoo targeted by Royal ransomware. (July 2023)
• BlackSuit claims an early November cyberattack still disrupting the Henry County School system. (December 2023)
• BlackSuit ransomware gang claims attack on Non-profit healthcare service provider Group Health Cooperative of South Central Wisconsin. (April 2024)

References:

• Tampa Bay Zoo targeted in cyberattack by apparent offshoot of Royal ransomware
• Georgia county school district claimed by BlackSuit ransom gang
• GHC-SCW: Ransomware gang stole health data of 533,000 people
• BlackSuit Ransomware
• BlackSuit Ransomware Strikes Windows and Linux Users