Threat Research

Unraveling the BlackSuit Ransomware Network with DNS Insights

CircleID

Short Summary:

The article discusses a significant data breach involving nearly 1 million individuals’ information due to a BlackSuit ransomware attack on April 10, 2024. The compromised data included sensitive personal information. The Cybersecurity and Infrastructure Security Agency (CISA) updated its advisory on BlackSuit, revealing it as a rebranded version of the Royal ransomware. The article also details the investigation’s findings, including numerous indicators of compromise (IoCs) and the geographical distribution of the associated IP addresses.

Key Points:

  • Nearly 1 million individuals’ information was stolen in a BlackSuit ransomware attack.
  • Compromised data included Social Security numbers, birthdays, and insurance claim information.
  • CISA updated its BlackSuit ransomware advisory with 91 IoCs, including domain names and IP addresses.
  • BlackSuit is a rebranded version of the Royal ransomware, targeting healthcare organizations.
  • The investigation uncovered additional IoCs, including 112 email-connected domains and 21 IP-connected domains.
  • The geographical distribution of the 72 IoCs spanned 29 countries, with a majority traced to the U.S.
  • Further analysis revealed historical WHOIS records and additional email addresses linked to the IoCs.

MITRE ATT&CK TTPs – created by AI

  • Data Encrypted for Impact – T1486
    • Ransomware encrypts files to demand payment for decryption.
  • Data Encrypted for Impact – T1486
    • Threat actors target sensitive data to maximize impact and leverage for ransom.
  • Credential Dumping – T1003
    • Potential access to sensitive information such as Social Security numbers and insurance claims.
BLACK FRIDAY DISCOUNT – CircleID x NordVPN
Get NordVPN
 [74% +3 extra months, from $2.99/month]

Nearly 1 million individuals’ information was stolen and exposed when threat actors launched a BlackSuit ransomware attack on 10 April 2024. The investigation revealed that the compromised data included the victims’ Social Security numbers (SSNs), birthdays, and insurance claim information.

Data breach notifications were sent in the last week of August. Around that time, specifically on 27 August 2024, the Cybersecurity and Infrastructure Security Agency (CISA) also updated its BlackSuit ransomware advisory. Their latest STIX file contains 91 indicators of compromise (IoCs) comprising 14 domain names, five subdomains, and 72 IP addresses. The agency also revealed that Blacksuit is a rebranded version of the Royal ransomware, a threat group that targeted healthcare organizations and demanded ransom payments ranging from US$250,000 to US$2 million.

The WhoisXML API research team pivoted off these cyber resources to expand the list of IoCs and uncover relevant threat artifacts. The analysis led to the discovery of:

  • 112 email-connected domains
  • 10 additional IP addresses, five of which were found to be malicious
  • 21 IP-connected domains
  • 137 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the BlackSuit IoCs

To learn more about the published IoCs, we first ran the 15 domains, comprising the 14 domain names identified as IoCs and one domain extracted from the subdomain IoCs, on Bulk WHOIS Lookup. We found that one domain IoC did not have current WHOIS data and thus was excluded from the analysis.

Next, we ran a bulk IP geolocation lookup for the 72 IP addresses identified as IoCs and found that:

  • Their geolocations were distributed across 29 countries. A majority were traced to the U.S. (24 IP addresses), Algeria (seven IP addresses), Russia (five IP addresses), and Morocco (four IP addresses). Three IP address IoCs each were geolocated in the Netherlands and Argentina, while two each were geolocated in Germany, Tunisia, and Colombia. Twenty other countries accounted for one IP address IoC each.

  • The Constant Company and Algeria Telecom administered seven IP addresses each, while Virgin Media, Global Internet Solutions, Maroc Telecom, and Telecom Argentina administered two IP addresses each. Thirty-one other ISPs accounted for one IP address IoC each, while 19 IP addresses did not have current ISP information.

Uncovering Potential BlackSuit Ransomware Threat Artifacts

To proactively hunt for potential BlackSuit-related threats, we queried the 14 domain IoCs and one subdomain IoC root domain on WHOIS History API. The results showed that they had 31 email addresses in their historical WHOIS records, five of which were public.

Jumping off the five public email addresses, our Reverse WHOIS API queries led to the discovery of 112 email-connected domains after removing duplicates and the IoCs.

We then ran the 14 domain IoCs and five subdomain IoCs on DNS Lookup and found out that while four did not have active IP resolutions, the remaining 15 resolved to 10 IP addresses not on the original IoC list.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

Source: Original Post

Tags: EMAIL, RUSSIA, DNS, full, IMPACT, DISCOVERY, CREDENTIAL, HUNT