Analysis Summary

BlackSuit is a strain of ransomware that has so far demanded $500 million in ransom, with one ransom demand reaching $60 million. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released an updated advisory that supports this claim.

The advisory reads, “BlackSuit actors have exhibited a willingness to negotiate payment amounts. Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption.”

Ransomware attacks have been directed towards several essential infrastructure sectors, including government buildings, key manufacturing, healthcare and public health, and commercial buildings. As an evolution of the Royal ransomware, it uses the initial access acquired through phishing emails to disable antivirus programs and steal confidential information, then it uses that information to install the ransomware and encrypt the systems.

The use of Remote Desktop Protocol (RDP), the exploitation of weak internet-facing apps, and access obtained through initial access brokers (IABs) are other popular routes of infection. To stay persistent in victim networks, BlackSuit actors are known to employ tools such as GootLoader malware and SystemBC, which are both genuine remote monitoring and management (RMM) software.

SharpShares and SoftPerfect NetWorx have been seen to be used by BlackSuit actors to count victim networks. On the computers of the victims, Nirsoft's password-harvesting tools and the publicly accessible credential-stealing program Mimikatz have also been discovered. Terminating system processes is a common usage for tools like GMER and PowerTool. The FBI and CISA have issued warnings about an increase in the number of victims receiving emails or phone calls from BlackSuit actors informing them of the compromise and the ransom demand—a strategy that ransomware gangs are using more frequently to increase pressure.

Threat actors seem to have become more interested in targeting secondary victims in addition to directly endangering companies in recent years. For example, in January 2024, reports surfaced that attackers had threatened to 'swat' cancer hospital patients and had texted a CEO's spouse with threatening messages. Such aggressive tactics harm a target's reputation by portraying them as immoral or careless, and they can also be used as additional leverage to force them to pay up.

As new ransomware families like Lynx, OceanSpy, Radar, Zilla (a variant of CrySis/Dharma), and Zola (a variant of Proton) appear in the wild, the development coincides with the ongoing evolution of existing ransomware groups' tactics through the addition of new tools to their toolbox.

A case in point is Hunters International, which has been spotted utilizing a remote access trojan (RAT) and a novel piece of C#--based malware known as SharpRhino as an initial infection vector. One type of malware that belongs to the ThunderShell family is called Angry IP Scanner, and it is distributed using a typosquatting domain that pretends to be a well-known network security program. Rebranded from the now-defunct Hive ransomware gang, Hunters International is evaluated. The ransomware was initially discovered in October 2023 and has since claimed to be the cause of 134 attacks in the first half of 2024.

Impact

• Security Bypass
• Sensitive Data Theft
• Financial Loss

Indicators of Compromise

SHA1

• 817a45fcc809d5272a30ea369cd5d67dc7fbbe36
• ceb8c699a57193aa3be2a1766b03050cde3c738a
• e4af08758daf4d2dc601a65ec739ad6959aea401
• 9075153a14929f269b24ef936f3fd2f98f18c344

URL

• https://beautyhabits.gr/xmlrpc.php
• https://oldtimertreffen-rethem.de/xmlrpc.php
• https://parencyivf.com/xmlrpc.php
• https://file.io/ScPd1KcJTtxO

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.