Cyble Research and Intelligence Labs identifies BlackSuit ransomware targeting Windows and Linux, with its Linux variant sharing code with Royal ransomware. It uses command-line parameters, mutex-based single-instance checks, and network/share-based lateral movement to encrypt files and drop a ransom note via an embedded mechanism, including an onion-based C2 channel. #BlackSuit #RoyalRansomware #Cylance #Unit42 #PaloAltoNetworks
Keypoints
- BlackSuit ransomware targets both Windows and Linux environments; Linux variant is described as a 64-bit ELF and shares similarities with Royal ransomware.
- The malware communicates with victims through an onion (Tor) site, indicating a hidden C2 channel.
-
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The ransomware uses the GetCommandLineW function to acquire the command-line arguments. ‘The BlackSuit ransomware utilizes the GetCommandLineW function to acquire the command-line arguments. Subsequently, it compares these arguments with a predefined list of strings, such as -name, -percentage, -noprotect, -disablesafeboot, -local, -network, -delete, -list, and -p.’
- [T1106] Native API – The ransomware calls Windows APIs (GetCommandLineW, CreateMutexW, NetShareEnum, FindFirstFileW, GetDriveTypeW) to perform its operations. ‘The ransomware uses Windows API calls to achieve its goals, including GetCommandLineW to acquire command-line arguments and CreateMutexW() to generate a mutex.’
- [T1135] Network Share Discovery – NetShareEnum() is used to obtain information about available network shares. ‘the ransomware uses the NetShareEnum() API to obtain information about the available network shares on the local system.’
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement via ADMIN$ and IPC$ shares. ‘Once it obtains the list of network shares, the ransomware establishes connections to the administrative (ADMIN$) and interprocess communication (IPC$) shares.’
- [T1083] File and Directory Discovery – Enumerates files/directories with FindFirstFileW/FindNextFileW. ‘The ransomware binary attempts to enumerate files and directories using FindFirstFileW() and FindNextFileW().’
- [T1082] System Information Discovery – Determines drive types with GetDriveTypeW. ‘GetDriveTypeW API to determine whether the drive type is removable or fixed.’
- [T1490] Inhibit System Recovery – Deletes shadow copies via vssadmin to hinder recovery. ‘to inhibit the system recovery by deleting the shadow copies’.
- [T1486] Data Encrypted for Impact – Encrypts files using AES after preparing keys. ‘Once the keys have been prepared, the ransomware initiates the encryption process by applying the AES algorithm to encrypt files.’
- [T1071.001] Web Protocols – Uses an onion site for C2 communications. ‘Communicates with its victims through an onion site.’
Indicators of Compromise
- [File Hash] Windows Executable – 748de52961d2f182d47e88d736f6c835 (MD5) and 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c (SHA256) – BlackSuit Windows Executable
- [File Hash] Linux Executable – 9656cd12e3a85b869ad90a0528ca026e (MD5) and 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e (SHA256) – BlackSuit Linux Executable
- [File Name] README.BlackSuit.txt – Ransom note dropped in every directory during encryption
Read more: https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/