Keypoints
- BlackSuit appeared in May 2023 and is tied to Russian and Eastern European threat actors.
- Victims span healthcare, education, IT, government, retail, and manufacturing sectors.
- Operators use double extortion: they encrypt systems and exfiltrate sensitive data to threaten publication.
- Ransom demands are large—reported totals over USD 500 million and individual asks up to USD 60 million.
- High-profile targets include CDK Global, Kadokawa, Octapharma Plasma, educational institutions, and parts of the Brazilian government.
- Initial access vectors frequently involve compromised VPNs, phishing, and exploitation of remote services and vulnerable applications.
- Darktrace’s analysis highlights automated data collection, C2 exfiltration, and use of tools like RDP and WMI for lateral movement and execution.
MITRE Techniques
- [T1098] Account Manipulation – Exploits account credentials to maintain persistence. (‘Exploits account credentials to maintain persistence’)
- [T0878] Alarm Suppression – Alters or disables alarms and logging to evade detection. (‘Disables or alters alarm settings to avoid detection’)
- [T1071] Application Layer Protocol – Uses application-layer protocols for command-and-control communications. (‘Uses application layer protocols for command and control communication’)
- [T1119] Automated Collection – Automatically gathers data from compromised systems for exfiltration. (‘Collects data automatically from compromised systems’)
- [T1486] Data Encrypted for Impact – Encrypts files to disrupt operations and demand ransom. (‘Encrypts data to disrupt operations and demand ransom’)
- [T1041] Exfiltration Over C2 Channel – Sends stolen data out via established C2 channels. (‘Exfiltrates data through command and control channels’)
- [T1210] Exploitation of Remote Services – Leverages remote service vulnerabilities for initial access and lateral movement. (‘Exploits remote services for lateral movement within networks’)
- [T1021.001] Remote Desktop Protocol – Uses RDP sessions for lateral movement and direct access to systems. (‘Uses RDP for lateral movement and access to systems’)
- [T1047] Windows Management Instrumentation – Uses WMI to execute commands and move laterally. (‘Utilizes WMI for execution of commands and lateral movement’)
Indicators of Compromise
- [domain] C2 / hosting contexts – mystuff.bublup[.]com, bublup-media-production.s3.amazonaws[.]com
- [ip address] Observed C2 / infrastructure – 137.220.61[.]94, 173.251.109[.]106, and 1 more IP
- [file name] Malicious payloads and scripts – zzza.exe, socks5.ps1, and 1 more file
- [file extension] Ransomware marker – .blacksuit (used for encrypted files and ransom notes)
- [file name] Ransom note example – readme.blacksuit.txt (ransom instructions left on compromised systems)
BlackSuit surfaced in 2023 and quickly expanded its reach across industries by combining data theft with encryption to pressure victims into paying large ransoms. Analysts consider it a likely offshoot of Royal ransomware; its operators have targeted corporate and public-sector environments worldwide and have demanded sums reported in the hundreds of millions collectively, with some individual demands reaching tens of millions.
Attack chains recorded by Darktrace show recurring patterns: attackers gain initial access via VPN compromises, phishing, or exploiting remote services, deploy automated collection tools to harvest sensitive data, use application-layer channels to communicate with C2 servers, and employ RDP and WMI for lateral movement before encrypting systems. They also attempt to suppress alarms and manipulate accounts to prolong access and avoid detection.
Organizations should prioritize multi‑factor authentication for remote access, timely patching of exposed services, segmented networks to limit lateral movement, robust logging and monitoring to detect suppression attempts, and tested incident response plans that assume both encryption and data leak extortion. Proactive detection and rapid containment remain essential to reduce the impact of groups using BlackSuit-style tactics.