The U.S. CISA (Cybersecurity and Infrastructure Security Agency), in partnership with the Federal Bureau of Investigation (FBI), updated an earlier cybersecurity advisory to notify network defenders of the rebrand of ‘Royal’ ransomware actors to ‘BlackSuit.’ The update includes recent and historically observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods related to BlackSuit ransomware. Also, ‘Royal’ was updated to ‘BlackSuit’ throughout unless referring to legacy Royal activity with updates and new content noted. FBI investigations identified these TTPs and IOCs as recently as July 2024.
The advisory noted that BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, commercial facilities, healthcare and public health, government facilities, and critical manufacturing. The agencies urge network defenders to examine the revised advisory and implement the suggested mitigation strategies. These strategies are crucial for organizations to adopt immediately to counteract threats associated with BlackSuit ransomware.
These mitigations align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Some of the key measures include prioritizing the remediation of vulnerabilities that are known to be exploited, educating users to identify and report phishing attempts, and implementing and enforcing multifactor authentication (MFA).
“BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities,” the agencies disclosed.
BlackSuit conducts data exfiltration and extortion before encryption and then publishes victim data to a leaked site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.
The advisory disclosed that ransom demands have typically ranged from approximately US$1 million to $10 million with payment demanded in Bitcoin. “BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million. BlackSuit actors have exhibited a willingness to negotiate payment amounts. Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a [dot]onion URL (reachable through the Tor browser) provided after encryption,” it added.
Recently, an uptick was observed in the number of instances where victims received telephonic or email communications from BlackSuit ransomware hackers regarding the compromise and ransom. BlackSuit uses a leak site to publish victim data based on non-payment.
The BlackSuit ransomware hackers use a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection, and also significantly improves ransomware speed. In addition to encrypting files, BlackSuit actors also engage in double extortion tactics in which they threaten to publicly release the exfiltrated data if the victim does not pay the ransom.
BlackSuit hackers gain initial access to victim networks in several ways, including phishing; Remote Desktop Protocol (RDP); public-facing applications; and leveraging initial access brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.
Once BlackSuit ransomware hackers gain access to a network, they communicate with command and control (C2) infrastructure and download multiple tools. Legitimate Windows software is repurposed by BlackSuit actors to strengthen their foothold within the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities. Historically, Royal actors were observed leveraging Chisel, Secure Shell (SSH) client, PuTTY, OpenSSH, and MobaXterm, to communicate with their C2 infrastructure.
Historically, Royal threat actors used RDP and legitimate operating system (OS) diagnostic tools to move laterally across a network. BlackSuit hackers used RDP and PsExec as well but also use SMB to move laterally. In one confirmed case, BlackSuit actors used a legitimate admin account to remotely log on to the domain controller via SMB. Once on the domain controller, the hacker deactivated the antivirus software by modifying Group Policy Objects.
The FBI observed BlackSuit hackers using legitimate remote monitoring and management (RMM) software, to maintain persistence in victim networks. They also use SystemBC and Gootloader malware to load additional tools and maintain persistence.
BlackSuit hackers have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks. The publicly available credential-stealing tool Mimikatz and password-harvesting tools from Nirsoft have also been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes.
The advisory disclosed that the BlackSuit actors exfiltrate data from victim networks by repurposing legitimate cyber penetration testing tools, such as Cobalt Strike, and malware tools/derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, BlackSuit actors’ first hop in exfiltration and other operations is usually a U.S. IP address. Furthermore, BlackSuit hackers also use RClone and Brute Ratel for exfiltration.
Before starting the encryption process, BlackSuit ransomware hackers use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications; and use Windows Volume Shadow Copy service (vssadmin[dot]exe) to delete shadow copies to inhibit system recovery.
FBI has found numerous batch ([dot]bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user, force a group policy update, set pertinent registry keys to auto-extract and execute the ransomware, monitor the encryption process, and delete files upon completion, including Application, System, and Security event logs. Registry Keys created can be modified and deleted to enable persistence on the victim’s system.
Recognizing that insecure software is the root cause of the majority of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues. These include embedding security into product architecture throughout the entire software development lifecycle (SDLC); mandating MFA, ideally phishing-resistant MFA, for privileged users, and making MFA a default, rather than an opt-in, feature.
Additionally, these mitigations align with tactics provided in an April 2023 guidance focused on shifting the balance of cybersecurity risk in line with appropriate principles and approaches for ‘Secure by Design’ software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure-by-design tactics.
By using secure-by-design tactics, software manufacturers can make their product lines secure ‘out of the box’ without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.