Best Practices for Preventing BlackSuit Ransomware Infections

Q: How do BlackSuit actors communicate with their command and control infrastructure?

Encrypted Channels: Securely communicate with C2 infrastructure (e.g., SSH tunnels). Legitimate Tools: Blend in with normal network traffic (e.g., remote monitoring and management software). Penetration Testing Tools: Create backdoor, execute tasks (e.g., Cobalt Strike). Malware Derivatives: Aggregate and transfer data (e.g., Ursnif, Gozi). Anonymous Communication: Obscure origin, complicate tracking (e.g., U.S. IP addresses, onion sites like "blacksuitmarket.onion"). Lateral Movement: Move within network, deploy tools (e.g., RDP, PsExec).

September 25, 2024
Srestha Roy

Are you confident that your security tools are foolproof? Think again. BlackSuit ransomware is exploiting overlooked vulnerabilities, slipping through defenses even in 53 well-protected organizations. This isn’t just another cyber threat—it’s a sophisticated adversary that rewrites the rules.

Your firewalls, antivirus, and strict protocols might not be enough to stop it. BlackSuit is engineered to find gaps you didn’t know existed, bypassing even advanced security postures. Are you truly prepared for what’s coming?

What Is Blacksuit Ransomware?

BlackSuit ransomware is a type of malware variant designed to encrypt victim system files, rendering critical data breach. The attackers then demand a ransom in exchange for the decryption key, while some threat actors deploy a double extortion model, with ransomware threats of releasing the stolen data to the public if their demands are not met. The ransomware targets mainly critical sectors: Healthcare, Government, Manufacturing, Education, and Finance, which has disastrous results in each of the sectors where disruptions have occurred.

Key Recommendations: CISA and FBI's Latest Guidance

Is BlackSuit Ransomware a Rebrand of Another Group?

BlackSuit is believed to be a rebrand of the Royal blacksuit ransomware gang. Rebranding keeps ransomware groups out of the scrutiny of law enforcement agencies and their identity hidden. It also allows them to continue most of their malicious activities without being recognized by cybersecurity defenses so easily.

What Are the Implications of This Rebranding for Cybersecurity Efforts?

The rebrand to BlackSuit hints at business as usual from the Royal group, for which readaptation of cybersecurity through updates in threat intelligence and monitoring for new indicators of compromise is required.

The Royal ransomware group, operating now as BlackSuit, continued to target healthcare organizations. This ransomware attack encrypted an entire network of a hospital, which had to divert emergency patients to other facilities.

How Blacksuit ransomware is different from other variants?

BlackSuit ransomware, while similar to other examples of ransomware variants in its primary function of encrypting files and demanding a ransom, exhibits several unique characteristics that set it apart:

Function	Blacksuit Ransomware	Other Variants
1. Intermittent Encryption	Encrypts files in stages, only encrypting a portion at a time.	Often encrypt files in a continuous manner.
2. Partial Encryption	Encrypts only a part of each file, not the entire content.	Typically encrypt the entire file.
3. Dual-Platform Targeting	Infects both Windows and Linux systems.	Primarily target Windows or Linux systems.
4. Similarities to Royal Ransomware	Closely related to the Royal ransomware family.	May have different familial ties or be completely unrelated.
5. Evasion Techniques	Employs techniques like intermittent and partial encryption to avoid detection.	May use different evasion tactics, such as obfuscation or encryption of malicious code.
6. Ransom Negotiation	May offer discounts or extended payment deadlines.	May have different negotiation strategies or terms.
7. Exfiltration of Data	May exfiltrate sensitive data in addition to encrypting files.	May or may not exfiltrate data.

BlackSuit Ransomware Analysis

Let’s see what you need to know about this strain to prevent cyber attackers from gaining access to your critical infrastructure.

How does Blacksuit Ransomeware work?

Here’s a breakdown of how BlackSuit ransomware operates:

1. Distribution

BlackSuit ransomware spreads through your several channels such as email attachments carrying viruses, torrent sites, ads with malware, and Trojan horses.
2. Execution

The ransomware starts encrypting your files after it gets into your system. It uses FindFirstFileW() and FindNextFileW() API functions to list all the files and folders on the computer.
3. Encryption

BlackSuit ransomware encrypts specific file types using a tough encryption method, like the Advanced Encryption Standard (AES). It changes the names of your encrypted files by adding ".blacksuit" at the end.
4. Ransom note

BlackSuit ransomware leaves a ransom note called "README.BlackSuit.txt" in every folder it goes through after encrypting your files. This note is how the attackers tell victims to pay money to get the decryption key.
5. Desktop wallpaper change

BlackSuit ransomware also changes the infected computer's desktop background showing a message or picture about the ransomware attack.
6. Data loss and extortion

You can't open or use the encrypted files without the decryption key. The attackers might say they'll share or sell the stolen data if they don't get paid.

Stop Ransomware: Thwart Attackers with Fidelis

Don’t Let Ransomware Lock You Down with our advanced solutions

How to identify if your system has been infected with BlackSuit ransomware?

If any of these examples of ransomware attack symptoms are felt or noticed, it is highly needed to act immediately by isolating the compromised system from further lateral movement onto your network. Some blacksuit ransomware iocs include:

File Extensions: Encrypted files by BlackSuit ransomware have the extension “.black suit” appended. A file named “document.doc” would become “document.doc.black suit”.
Ransom Note: BlackSuit ransomware leaves a ransom note dubbed “README.BlackSuit.txt” in every directory containing encrypted files. This note explains the ransom demands, claiming your files are secured on some remote server.
Inaccessible Files: If you cannot open or access your files, or they appear corrupted, BlackSuit ransomware encryption might be the culprit.
Desktop Changes: The ransomware might alter your desktop wallpaper with messages related to the attack, indicating system compromise.
Shadow Copy Deletion: BlackSuit ransomware attempts to delete Volume Shadow Copies to hinder file recovery. Missing system restore points could be a sign of infection.
Unusual Activity: Monitor for abnormal network traffic or system behavior like unexpected file changes or unauthorized access attempts. These can indicate a ransomware infection.

What are the latest BlackSuit Ransomware TTPs (Tactics, Techniques, and Procedures)?

1. Initial Access

Phishing Emails: The most common method involves deceiving users into providing passwords or downloading malware.
RDP Compromise: The use of weak or stolen RDP credentials to gain unwanted access, which accounts for around 13.3% of initial access instances.
VPN Brute-Force Attack: Poorly configured VPN configurations allow brute-force attacks to get access using genuine credentials, demonstrating the importance of strong authentication.
Public-Facing Application Exploit: Exploiting vulnerabilities in internet-connected applications.
Initial Access Brokers: Collaborate with third-party sellers to provide access to infiltrated networks.

2. Data Exfiltration and Double Extortion

Remove sensitive data before spreading ransomware.
Threaten to disclose stolen material on leak sites unless the ransom is paid.

3. Lateral Movement Tools

Repurposing legitimate penetration testing tools like Cobalt Strike.

Utilizing tools like PsExec and Rubeus for lateral movement and privilege escalation.

4. Disabling Security Measures

Disabling antivirus software and other security tools to evade detection.

5. Partial Encryption Technique

Employing a partial encryption approach to avoid detection and speed up encryption.

6. Command and Control (C2) Communication

Communicating with their C2 infrastructure to download additional tools and maintain control.

Victims and Data Leaks: The Toll of BlackSuit Ransomware

In the past year, BlackSuit has claimed dozens of victims and has leaked stolen data from attacks against 53 organizations; leaks which may include sensitive personal and financial information that could lead to further harm both for the affected people and organizations.

Data Leak Consequences

Public disclosure of stolen information further coerces blacksuit ransomware victims to pay the ransom. This might be attributed to reputational damage, financial loss, and even legal and regulatory repercussions.

Of particular note, according to a recent report, an observed high for BlackSuit of about $18 million, with an average initial demand of about $2.5 million. The average ransom payment facilitated was around $500,000.

Extortion Tactics: How BlackSuit Ransomware Tightens Its Grip

What Extortion Tactics Does BlackSuit Ransomware Use?

BlackSuit ransomware operates a multi-pronged extortion model: encrypting victim data, exfiltrating sensitive information of the victim, and hosting public data leak sites.

How Does Encryption Impact the Victims?

Encryption can render the data inaccessible, causing significant operational disruptions to the affected company. This results in considerable downtime, leading to massive losses. Victims are often compelled to pay the ransom in hopes of recovering critical data.

What Is the Role of Data Exfiltration in Their Strategy?

Data exfiltration involves stealing sensitive information from the victim systems. Later, this is used to further increase pressure by using stolen data to coerce the victims into paying the ransom.

How Do Public Data Leak Sites Contribute to Their Extortion Tactics?

They publish stolen information on open data leak sites if the victims do not agree to their demands on ransom. This public exposure could also be worse for the victims’ reputation and operations, further motivating them to pay the ransom.

Case Study:

In April 2024, a BlackSuit ransomware attack was detected, which started by performing Kerberoasting. This was a kind of post-exploitation attack technique intended to capture a password hash of an Active Directory account that possesses a Service Principal Name (“SPN”) within the environment contributed by a customer. The attack thus caused key systems to be encrypted and exfiltration of sensitive data. Poor asset inventory and poor endpoint visibility plagued the organization affected, and this has driven demands for better cybersecurity.

How can organizations defend against Black suit Ransomware Attacks?

Here are some of the blacksuit ransomware best practices from infecting your systems:

Back Up Your Data Often: Save important files to external drives or cloud storage. Make sure these backups aren’t always connected to your network to keep them safe during an attack. This lets you get your data back without paying if you get infected.
Keep Everything Up to Date: Make sure your operating system, programs, and antivirus are current. Updates often fix security holes that ransomware uses. Turn on automatic updates to get important fixes right away.
Watch Your Network: Use tools to check your network traffic for weird patterns or talks with known bad servers. Spotting threats can help you stop them.
Train Your Team: Teach your employees about staying safe online, like how to spot fake emails and avoid clicking on sketchy links or files. Regular training cuts down on successful attacks a lot, since many infections start because of human mistakes.
Use Two-Factor Authentication (2FA): Adding 2FA makes your system safer by making it harder for attackers to get in even if they have someone’s login info.
Network Segmentation: Break up networks to stop malware from spreading. Keeping critical systems apart from general access networks helps companies contain infections and stop widespread damage.
Endpoint Detection and Response (EDR): Put EDR solutions in place to watch network traffic and spot odd behavior right away.
Care with Email Attachments and Links: Stay alert when opening email attachments or clicking links from people you don’t know. Scam emails often spread ransomware, including BlackSuit ransomware.
Check and Limit User Permissions: Cut down user access to the systems and data they need for their jobs. This least privilege rule lowers the risk of ransomware spreading through hacked accounts.
Advanced Threat Detection Tools: Use top-notch threat detection and response tools to spot unusual activity that might signal a ransomware attack. These tools can send alerts and help tackle threats before they get worse.
Create an Incident Response Plan: Have a clear plan ready that spells out what to do if ransomware hits. This should cover steps like isolating infected systems restoring from backups and telling the right authorities.

How Can You Secure Your RDP Connections to Prevent BlackSuit Access

Here’s how to fortify your remote desktop protocol rdp against BlackSuit ransomware attacks:

Configure a VPN and keep RDP traffic unexposed to the internet. Make sure to implement multi-factor authentication in your VPN configuration.
Use MFA: Utilize multi-factor authentication for further verification of logins. This can be completed through TOTP, push notifications, or even hardware tokens.
Restrict RDP Access: RDP should be allowed to connect from specific, trusted IP addresses only. One of the options is enforcing a whitelist-a connections permits from permitted devices or networks only.
Implement Strong Passwords: Use strong, complex passwords that are updated regularly. Passwords should be at least 12 characters and contain a mix of uppercase and lowercase letters, numbers, and special characters.
Change the Default RDP Port: Change the default RDP port to prevent automated scanning. The problem is that it is not supposed to be used as the only security measure, since attackers can find the service.
Restrict User Access: Only allow RDP access to users who have an actual business need for it. Users must be granted access on a least privilege basis. Users who no longer require access should be removed from the list of users with permission for RDP access.
Account Lockout: Enable account lockout to prevent ransomware brute-force attacks. Set a reasonable number of failed login attempts before an account is temporarily locked.
Firewalls and Intrusion Detection: Include a firewall and intrusion detection to monitor and react to particular network attacks. Stay ahead of firewall rules changes on a regular basis and review IDS alerts for unusual events.
Keep Regular Updates and Patches: Always have your system updated with the latest patches to each software. This secures your server against any vulnerability that might be attacked.

Fidelis Solutions available to Detect Blacksuit Ransomware

Fidelis Security provides a full set of tools to shield against many types of ransomware threats. By zeroing in on early detection quick action, and control, Fidelis tools help protect your network setup and devices from new attacks.

Fidelis Network^®

Fidelis’ NDR solution gives a clear view of your network as it happens spotting odd behaviors that often go hand in hand with ransomware acts.

Explore Fidelis’ NDR Solution Features

Fidelis Endpoint^®

Fidelis’ EDR solution keeps an eye on devices non-stop cutting off ransomware-infected machines and stopping it from spreading.

Explore Fidelis’ EDR Solution Features

Fidelis Network Segmentation

Helps box in ransomware within your network keeping it in certain areas to cut down on damage.

Fidelis Advanced Threat Detection

Uses machine learning and behavior analysis to spot encryption tries and warn you about ransomware threats before they get worse.

Explore Fidelis’ Advance Threat Detection features

Frequently Ask Questions

How does BlackSuit's partial encryption approach help evade detection?

Reduces the likelihood of sending off any traditional security alerts.
It lets ransomware act quite surreptitiously by the time it becomes too late.

What steps can I take to protect against phishing emails from BlackSuit?

Install advanced email filtering solutions.
Carry out regular phishing awareness and training of the staff concerning security.
Apply multi-factor authentication for email accounts.
Make use of threat intelligence in order to stay updated about any new phishing techniques.

How do BlackSuit actors communicate with their command and control infrastructure?

Encrypted Channels: Securely communicate with C2 infrastructure (e.g., SSH tunnels).
Legitimate Tools: Blend in with normal network traffic (e.g., remote monitoring and management software).
Penetration Testing Tools: Create backdoor, execute tasks (e.g., Cobalt Strike).
Malware Derivatives: Aggregate and transfer data (e.g., Ursnif, Gozi).
Anonymous Communication: Obscure origin, complicate tracking (e.g., U.S. IP addresses, onion sites like “blacksuitmarket.onion”).
Lateral Movement: Move within network, deploy tools (e.g., RDP, PsExec).

About Author

Srestha Roy

Srestha is a cybersecurity expert and passionate writer with a keen eye for detail and a knack for simplifying intricate concepts. She crafts engaging content and her ability to bridge the gap between technical expertise and accessible language makes her a valuable asset in the cybersecurity community. Srestha's dedication to staying informed about the latest trends and innovations ensures that her writing is always current and relevant.

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.