Keypoints
- On April 10, 2024, a BlackSuit ransomware attack resulted in the theft and exposure of data for nearly 1 million individuals, including SSNs, birthdays, and insurance claim information.
- Data breach notifications were issued in late August 2024, around the same time CISA updated its BlackSuit advisory and published a STIX file with 91 IoCs (14 domains, 5 subdomains, 72 IPs).
- CISA characterized BlackSuit as a rebranded variant of the Royal ransomware family, which has targeted healthcare and demanded ransoms from US$250,000 to US$2 million.
- WhoisXML API expanded the IoC set through DNS and WHOIS analysis, identifying 112 email-connected domains, 10 additional IPs (five malicious), 21 IP-connected domains, and 137 string-connected domains.
- Geolocation analysis of 72 IP IoCs showed distribution across 29 countries, with the largest counts in the U.S., Algeria, Russia, and Morocco, and multiple ISPs implicated (e.g., The Constant Company, Algeria Telecom).
- Historical WHOIS records for the domain IoCs contained 31 email addresses (five public), and reverse-WHOIS queries yielded the 112 email-connected domains used for broader threat hunting.
- DNS lookups for the domain/subdomain IoCs found several domains without active A records and uncovered 10 additional IP addresses not included in the original CISA IoC list.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Used to encrypt victim files and demand payment; quote: ‘Ransomware encrypts files to demand payment for decryption.’
- [T1003] Credential Dumping – Potential exposure of sensitive records and credentials enabling access to private data; quote: ‘Potential access to sensitive information such as Social Security numbers and insurance claims.’
Indicators of Compromise
- [Domain names] CISA-listed domain IoCs – 14 domain names and 5 subdomains noted in the STIX file (specific domain strings are not listed verbatim in the article; see CISA advisory/STIX for full list).
- [IP addresses] CISA-listed IP IoCs – 72 IP addresses in the STIX file; geolocation analysis showed 24 in the U.S., 7 in Algeria, 5 in Russia, 4 in Morocco, and 29-country spread overall.
- [Email-connected domains] WhoisXML API discoveries – 112 domains tied to WHOIS email addresses discovered via reverse-WHOIS (examples not enumerated in the article).
- [WHOIS email addresses] Historical WHOIS artifacts – 31 email addresses found in WHOIS history for the domain IoCs, five of which were publicly visible.
- [Compromised data types] Stolen personal data – examples include Social Security numbers, birthdays, and insurance claim information exposed in the breach.
On April 10, 2024, threat actors operating BlackSuit ransomware stole and exposed nearly one million people’s records from a software vendor, with the compromised dataset containing highly sensitive items such as Social Security numbers, dates of birth, and insurance claim details. Notifications about the breach were sent in the last week of August 2024, coinciding with an update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on August 27, 2024. CISA’s updated advisory and STIX bundle listed 91 indicators of compromise: 14 domain names, five subdomains, and 72 IP addresses. The agency also described BlackSuit as a rebranded offshoot of the Royal ransomware family, a group known for targeting healthcare organizations and demanding ransoms ranging from approximately US$250,000 to US$2 million.
Researchers at WhoisXML API took CISA’s published IoCs as a starting point and broadened the investigation using WHOIS, DNS, and geolocation tools. Their enrichment work uncovered 112 domains connected by WHOIS email addresses, 10 additional IP addresses (five of which were flagged as malicious), 21 domains linked to IP infrastructure, and 137 string-connected domains tied to the network. A downloadable sample of these additional artifacts is available from the WhoisXML API research page for readers who want a deeper look.
To better understand the original domain IoCs, the team ran 15 domains (14 domain names identified as IoCs plus one root domain derived from a subdomain IoC) through a bulk WHOIS lookup and found that one domain lacked current WHOIS data and was excluded from further analysis. They then performed bulk IP geolocation on the 72 IP addresses called out by CISA and found that those IPs were distributed across 29 countries. The largest concentrations were traced to the United States (24 IPs), Algeria (7), Russia (5), and Morocco (4). Smaller clusters appeared in the Netherlands and Argentina (three IPs each), Germany, Tunisia, and Colombia (two each), and twenty other countries with one IP apiece. ISP mapping showed The Constant Company and Algeria Telecom each administering seven of the IPs, while Virgin Media, Global Internet Solutions, Maroc Telecom, and Telecom Argentina administered two each; 31 other ISPs hosted one IP each, and 19 IPs had no current ISP information available.
To hunt for related infrastructure, the researchers queried the 14 domain IoCs and the subdomain-derived root on the WHOIS History API, revealing 31 email addresses in historical records, five of which were publicly visible. Starting from those public WHOIS emails and using reverse-WHOIS queries, they discovered the 112 email-connected domains after deduplicating results and removing the original IoCs. DNS lookups against the domain and subdomain IoCs showed several domains without active IP resolutions, while the remaining resolved names mapped to 10 IP addresses that were not present in CISA’s original list—evidence that the BlackSuit network extends beyond the initially published indicators.
The published write-up is a snapshot of the full research; the authors provide a download of the complete findings and offer contact channels for organizations seeking tailored intelligence for detection or response. They also include a cautionary disclaimer noting that some entities labeled “malicious” in threat hunts may later be reclassified after additional context or investigation, and advise conducting follow-up verification before taking action based on these findings.
Read more: https://circleid.com/posts/stripping-down-the-blacksuit-ransomware-network-aided-by-dns-data