Blacksuit
Blacksuit is a private ransomware/extortion group that surfaced in early April/May of 2023. It bears numerous similarities to Royal Ransomware, suggesting it may be a spinoff or a rebranding effort.
The origin of Blacksuit
Blacksuit is a private ransomware/extortion group that emerged in early April/May of 2023. The group shares various similarities with Royal Ransomware, leading experts to speculate that Blacksuit may be a spinoff or a rebranding of the earlier group.
Royal Ransomware, itself a reboot of Conti, gained notoriety for its highly targeted attacks on critical infrastructure sectors and its sophisticated methods of gaining initial access, elevating privileges, and evading detection.
Building on this foundation, Blacksuit appears to continue the legacy with refined techniques and a focused approach to extortion, targeting similar high-value industries and leveraging advanced tactics to breach and encrypt the networks of their victims.
Cartography: OCD
Targets
Blacksuit's Targets
Countries targeted by Blacksuit
BlackSuit operates on a global scale, with significant activity reported in:
- North America: Particularly the United States and Canada.
- Europe: Including notable incidents in Italy and the United Kingdom.
- Asia: South Korea has reported multiple attacks.
- South America: Brazil is a notable target within this region.
Source: SOCradar
Industries targeted by Blacksuit
According to SOCradar, Blacksuit predominantly targets the following industries:
- Educational Services (22.7%): This is the most targeted sector, reflecting the vulnerability of educational institutions to ransomware attacks.
- Public Administration (13.6%): Government bodies are frequently attacked, causing significant disruption to public services.
- Construction, Professional, Scientific, and Technical Services, Wholesale Trade, Manufacturing (9.1% each): These sectors are also heavily targeted due to their critical nature and the potential high impact of disruptions.
- Other industries: Including Retail Trade, Transportation and Warehousing, Information Services, Arts, Entertainment, and Recreation, Health Care, and Other Services (4.5% each).
Industries targeted by Blacksuit
According to SOCradar, Blacksuit predominantly targets the following industries:
- Educational Services (22.7%): This is the most targeted sector, reflecting the vulnerability of educational institutions to ransomware attacks.
- Public Administration (13.6%): Government bodies are frequently attacked, causing significant disruption to public services.
- Construction, Professional, Scientific, and Technical Services, Wholesale Trade, Manufacturing (9.1% each): These sectors are also heavily targeted due to their critical nature and the potential high impact of disruptions.
- Other industries: Including Retail Trade, Transportation and Warehousing, Information Services, Arts, Entertainment, and Recreation, Health Care, and Other Services (4.5% each).
Blacksuit's victims
Blacksuit targeted more than 96 victims. High-profile victims of Blacksuit include major educational institutions, government agencies, construction companies, professional service firms, and healthcare providers. These attacks often result in significant operational disruptions and data breaches.
Image: ransomware.live
Attack Method
Blacksuit's Attack Method
Blacksuit often gains initial access through phishing emails, exploiting vulnerabilities in public-facing applications, and employing malicious attachments or links.
Once inside the network, the attackers exploit vulnerabilities to elevate their privileges, often using tools like Mimikatz to obtain higher-level access.
The group employs various techniques to avoid detection, including disabling security tools, using obfuscated code, and leveraging trusted system processes.
Blacksuit uses keyloggers, credential dumping tools, and brute force attacks to gather usernames and passwords.
They conduct extensive reconnaissance within the network to understand its structure, identifying critical systems and sensitive data.
Utilizing legitimate administrative tools and compromised credentials, the attackers move laterally across the network to infect more systems.
Blacksuit collects and exfiltrates sensitive data to pressure victims into paying the ransom. This often includes financial data, personal information, and proprietary business information.
The ransomware is deployed and executed to encrypt the files on the compromised systems.
Data is exfiltrated to external servers controlled by the attackers, often using encrypted channels to avoid detection.
The final stage involves encrypting the victim's data and systems, rendering them unusable. A ransom note is then presented, demanding payment in cryptocurrency to decrypt the files.
Initial Access
Blacksuit often gains initial access through phishing emails, exploiting vulnerabilities in public-facing applications, and employing malicious attachments or links.
Privilege Escalation
Once inside the network, the attackers exploit vulnerabilities to elevate their privileges, often using tools like Mimikatz to obtain higher-level access.
Defense Evasion
The group employs various techniques to avoid detection, including disabling security tools, using obfuscated code, and leveraging trusted system processes.
Credential Access
Blacksuit uses keyloggers, credential dumping tools, and brute force attacks to gather usernames and passwords.
Discovery
They conduct extensive reconnaissance within the network to understand its structure, identifying critical systems and sensitive data.
Lateral Movement
Utilizing legitimate administrative tools and compromised credentials, the attackers move laterally across the network to infect more systems.
Collection
Blacksuit collects and exfiltrates sensitive data to pressure victims into paying the ransom. This often includes financial data, personal information, and proprietary business information.
Execution
The ransomware is deployed and executed to encrypt the files on the compromised systems.
Exfiltration
Data is exfiltrated to external servers controlled by the attackers, often using encrypted channels to avoid detection.
Impact
The final stage involves encrypting the victim's data and systems, rendering them unusable. A ransom note is then presented, demanding payment in cryptocurrency to decrypt the files.
MITRE ATT&CK Mapping
TTPs used by Blacksuit
TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
No items found.
TA0005: Defense Evasion
T1027
Obfuscated Files or Information
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
No items found.
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1041
Exfiltration Over C2 Channel
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections
How to Detect Blacksuit with Vectra AI
FAQs
What is Blacksuit ransomware?
Blacksuit is a ransomware group known for targeting critical infrastructure sectors and using advanced tactics to breach and encrypt victim networks.
How does Blacksuit typically gain initial access to a network?
They often use phishing emails, exploit vulnerabilities in public-facing applications, and send malicious attachments or links.
Which industries are most frequently targeted by Blacksuit?
Educational services, public administration, construction, professional and technical services, wholesale trade, and manufacturing are primary targets.
What techniques does Blacksuit use for privilege escalation?
They exploit software vulnerabilities and use tools like Mimikatz to gain higher-level access.
How does Blacksuit evade detection?
They use techniques such as disabling security tools, obfuscating code, and leveraging trusted system processes.
What methods are used by Blacksuit for credential access?
They employ keyloggers, credential dumping tools, and brute force attacks.
How do Blacksuit perform lateral movement within a network?
By using legitimate administrative tools and compromised credentials to access additional systems.
What types of data do Blacksuit exfiltrate?
Financial data, personal information, and proprietary business information are commonly exfiltrated.
How do Blacksuit execute the ransomware payload?
The ransomware is deployed and executed to encrypt files on the compromised systems.
What are some effective defenses against Blacksuit?
Implementing strong phishing defenses, regular vulnerability patching, robust credential management, and extended detection and response (XDR) solutions are crucial.