BlackSuit Ransomware - All you need to know

What is BlackSuit Ransomware?

BlackSuit: One more high-risk cyber threat variant, which has recently arrived on the stage in early 2023 as a rebranded version of the Royal ransomware group. This advanced piece of malware employs double extortion, where victims' data is encrypted even after paying the ransom, and are threatened with being leaked on the dark web.

In terms of the history of cybercrime, BlackSuit derives from various big criminal experiences linked to deadly dark net surfaces forced by perhaps close ties that track back towards the renown such as for example Conti cybercrime syndicate.

Figure 1: Screenshot of Leak Site used by BlackSuit Ransomware

As shown in figure 1, BlackSuit ransomware runs a dark web site where they list victims who don’t pay the ransom. This is meant to shame the victims and put extra pressure on them to pay.

Figure 2: Screenshot of Ransom Note used by BlackSuit Ransomware

BlackSuit ransomware uses a tricky method in its ransom notes. It pretends to be a file called "README.BlackSuit.txt," making victims think they can get their data back by paying a fee.

But this is a scam. Even if the ransom is paid, there’s no guarantee the data will be restored. Many victims end up having to rebuild their systems and recover data from backups instead.

What are the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) of BlackSuit Ransomware?

The Tactics, Techniques, and Procedures (TTPs) of BlackSuit ransomware showcase its sophisticated approach to compromising systems and achieving its malicious goals. Here’s an explanation of its key TTPs:

1. Phishing Attacks: BlackSuit often uses phishing emails to trick victims. These emails appear legitimate but contain malicious links or attachments. Once clicked or opened, these payloads install malware, giving the attackers access to the target system. This technique relies on social engineering to exploit human error.
2. Exploiting Vulnerabilities: BlackSuit actively scans for systems with unpatched software or outdated operating systems. It takes advantage of these vulnerabilities to bypass defences and gain unauthorised access to networks. This highlights the importance of keeping systems updated with the latest security patches.
3. Remote Desktop Protocol (RDP) Exploitation: Poorly secured RDP settings are another entry point for BlackSuit. Misconfigurations, weak passwords, or open RDP ports can allow attackers to directly access a system. This tactic is often used to bypass external defences and move laterally within a network.
4. Supply Chain Attacks: BlackSuit can target weaknesses in software vendors or third-party suppliers to infiltrate broader networks. By compromising a supplier, attackers can distribute malware to multiple organisations, making this a particularly dangerous and far-reaching tactic.

These TTPs highlight BlackSuit’s ability to exploit both technical vulnerabilities and human weaknesses. Defending against such threats requires robust security measures, including email filtering, vulnerability management, RDP security controls, and third-party risk assessments.

Indicators of Compromise (IOCs): BlackSuit Ransomware

The Indicators of Compromise (IOCs) for BlackSuit ransomware highlight its use of a dedicated onion URL (hxxp://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion) as its leak site. Hosted on the Tor network, this dark web site is a critical component of the ransomware's double extortion strategy, where attackers not only encrypt the victim's data but also exfiltrate it and threaten public exposure if the ransom is not paid.

Victims are often directed to this site to negotiate ransom payments or verify the stolen data. This approach significantly increases the pressure on victims, as the potential damage from leaked sensitive information can surpass the operational disruption caused by the ransomware encryption itself.

The use of the Tor network for hosting ensures anonymity for the attackers and makes the site resilient against takedown attempts by law enforcement or cybersecurity teams. This capability allows BlackSuit operators to operate securely while maintaining leverage over their victims.

For organisations, monitoring such IOCs and integrating them into threat intelligence systems is essential for early detection, tracking victim exposure, and strengthening defence mechanisms against this ransomware.

What is the Kill Chain of BlackSuit Ransomware?

Fig 3: Screenshot of the Kill Chain of BlackSuit Ransomware

The BlackSuit ransomware's kill chain represents a structured and systematic approach to executing cyberattacks, leveraging various MITRE ATT&CK techniques. This ransomware group employs a mix of execution methods, persistence mechanisms, credential theft, and data exfiltration tactics to disrupt operations, steal sensitive information, and demand ransom payments. Let’s break down the kill chain in detail to understand its phases and techniques.

BlackSuit ransomware executes its payload using native tools like PowerShell (T1059.001) and Windows Command Shell (T1059.003) to operate stealthily, avoiding detection through "Living off the Land" tactics.

Persistence is established via Registry Run Keys or Startup Folder (T1547.001), enabling automatic execution after reboot. Attackers escalate privileges by exploiting UAC mechanisms (T1548), allowing them to disable security tools and access sensitive data. Advanced defence evasion techniques, such as registry modifications (T1112) and process injection (T1055), conceal malicious activities and bypass endpoint defences.

Credential harvesting methods like Kerberoasting (T1558.003) and LSASS memory dumping (T103.001) enable lateral movement. Discovery tactics such as Remote System Discovery (T1018) and Domain Trust Discovery (T1482) map the network to identify high-value targets.

BlackSuit collects and archives data (T1560) for exfiltration, establishing encrypted command-and-control channels (T1071.001) for remote operations. The final impact involves encrypting data (T1486) and inhibiting recovery mechanisms (T1490), maximising disruption and coercing ransom payment, often coupled with threats to leak sensitive data. This structured attack flow emphasises the importance of layered defences, threat monitoring, and robust backup strategies.

How does Red Piranha Detect and Prevent attacks of BlackSuit Ransomware?

Red Piranha’s Threat Detection, Investigation, and Response (TDIR) solution effectively counters the advanced tactics of BlackSuit ransomware by combining real-time threat intelligence, network traffic analysis, and endpoint and network monitoring to detect initial access attempts, such as exploits and phishing.

Defending against such attacks requires a layered security strategy. Proactive measures include using tools like endpoint detection and response (EDR), application whitelisting, and advanced network detection systems (NDR) to monitor suspicious activities at all stages of the kill chain. Credential security can be enhanced through multi-factor authentication (MFA) and Kerberos hardening, while robust backup solutions and data loss prevention (DLP) tools mitigate data theft and encryption risks.

Threat intelligence integration, zero trust architecture, and incident response planning further strengthen defences. Platforms like Red Piranha’s Crystal Eye TDIR, which combines AI-powered analytics and threat intelligence, provide comprehensive protection against advanced threats like BlackSuit ransomware.

Red Piranha’s Threat Detection, Investigation, and Response (TDIR) solution provides a robust defence against the advanced tactics of BlackSuit ransomware by integrating real-time threat intelligence, network traffic analysis, and endpoint monitoring to detect and counteract every phase of the ransomware kill chain.

TDIR’s continuous monitoring and encrypted metadata analysis identify suspicious activities like Command-and-Control (C2) communications, while its proactive approach detects persistence mechanisms such as registry modifications and unauthorised privilege escalations.

Leveraging SOAR (Security Orchestration, Automation, and Response) capabilities, TDIR isolates affected systems, halting lateral movement and credential theft across the network.

Defence evasion tactics like disabling security tools or process obfuscation are neutralised by anomaly-based detection, with automated playbooks ensuring rapid escalation to Red Piranha’s SOC team for swift containment and incident response.

Crystal Eye’s multi-layered defence approach combines Network Detection and Response (NDR), machine learning-driven anomaly detection, and Zero Trust architecture to counter BlackSuit ransomware’s tactics effectively.

NDR continuously monitors traffic to identify signs of lateral movement, credential theft, and data exfiltration, while Zero Trust micro-segmentation limits unauthorised access, reducing the attack surface. Automated response actions mitigate impacts by halting unauthorised registry modifications, disabling malicious C2 connections, and isolating compromised systems.

Crystal Eye’s advanced capabilities, including East-West traffic monitoring, PCAP analysis, and proactive threat hunting, detect and thwart BlackSuit’s techniques such as Living off the Land (LOTL) attacks, encrypted data theft, and ransomware encryption processes. With real-time detection, integrated threat intelligence, and 24/7 SOC support, Crystal Eye delivers comprehensive protection, significantly reducing attacker dwell time and the overall impact of ransomware incidents.

Does detecting malicious activity pose a significant challenge for your organisation?

Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.

Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.