BlackSuit ransomware is a rebranded version of the Royal ransomware, aimed at evading detection and sustaining operations after heightened law enforcement actions. It leverages phishing, exploits software vulnerabilities, and uses legitimate remote tools to infiltrate victims, followed by dual extortion involving data exfiltration and strong file encryption. #BlackSuit #RoyalRansomware
Keypoints
- BlackSuit is a rebranding of Royal ransomware, signaling a strategic shift to avoid detection after law enforcement actions.
- Royal ransomware originated from remnants of the Conti group, with connections clearly highlighted in advisory updates.
- Since 2022, Royal/BlackSuit targeted over 350 victims globally, with ransoms exceeding $275 million and impacts across critical sectors.
- Common initial access methods include phishing emails and exploiting known software vulnerabilities in unpatched systems.
- BlackSuit uses legitimate tools (AnyDesk, MobaXterm) for persistence and remote access, and network tunneling tools (Chisel, Cloudflared) to bypass defenses.
- Credential theft via Mimikatz and strong encryption (OpenSSL AES) for Windows and Linux payloads underpin its attack chain.
- The group pursues a dual extortion model by exfiltrating data before encryption and threatening to leak it if ransom is not paid.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – “exploits known vulnerabilities in software and systems to gain unauthorized access.”
- [T1566.001] Phishing – “phishing emails, where attackers send deceptive messages designed to trick recipients into clicking on malicious links or downloading infected attachments.”
- [T1133] External Remote Services – “uses legitimate remote access tools like AnyDesk and MobaXterm for establishing and maintaining remote access.”
- [T1572] Protocol Tunneling – “network tunneling tools such as Chisel and Cloudflared.”
- [T1003] Credential Dumping – “uses Mimikatz to harvest credentials from memory.”
- [T1486] Data Encrypted for Impact – “The ransomware encrypts files using strong encryption algorithms.”
- [T1041] Exfiltration – “exfiltrate sensitive data before encrypting files, threatening to leak the data if the ransom is not paid.”
Indicators of Compromise
- [IOC] No explicit IOCs listed in the article – no IPs, domains, file hashes, or filenames are provided.
Read more: https://socradar.io/dark-web-profile-blacksuit-ransomware/