Focus Mode
Threat Research

BlackSuit Ransomware Group: What Have Changed After Royal Ransomware

Picussecurity
The BlackSuit ransomware group, an evolution of the Royal ransomware, has emerged as a significant cyber threat since mid-2023, utilizing advanced tactics to extort over $500 million from various industries worldwide. This analysis delves into their operational strategies, notable incidents, and defense mechanisms to mitigate their impact. Affected: Kadokawa Corporation, Niconico, CDK Global

Keypoints :

  • BlackSuit ransomware group emerged in mid-2023 as a successor to Royal ransomware.
  • Utilizes advanced tactics, including phishing, RDP exploitation, and double extortion.
  • Has extorted over $500 million from various industries, including education and automotive.
  • Notable incidents include attacks on Kadokawa Corporation and CDK Global.
  • Employs sophisticated techniques such as partial encryption and credential dumping.
  • Effective defenses include regular backups, timely patching, and employee training.

MITRE Techniques :

  • Initial Access – Phishing: Spearphishing Attachment (MITRE T1566.001) – Uses phishing emails with malicious attachments to gain access.
  • Initial Access – Remote Desktop Protocol (MITRE T1021.001) – Exploits RDP vulnerabilities or conducts brute-force attacks to gain unauthorized access.
  • Execution – Service Execution (MITRE T1569.002) – Utilizes Cobalt Strike for remote process execution and service creation.
  • Execution – PowerShell (MITRE T1059.001) – Executes commands via PowerShell in a hidden window to avoid detection.
  • Persistence – Registry Run Keys / Startup Folder (MITRE T1547.001) – Creates registry keys to maintain persistence on infected systems.
  • Defense Evasion – Modify Registry (MITRE T1112) – Modifies registry settings to enable RDP access while evading detection.
  • Credential Access – AS-REP Roasting (MITRE T1208) – Uses Rubeus to request Kerberos tickets without needing a password.
  • Discovery – System Information Discovery (MITRE T1082) – Executes systeminfo command to gather system details.
  • Lateral Movement – Pass-the-Hash (MITRE T1550.002) – Uses stolen NTLM hashes for authentication across systems.
  • Impact – Data Encrypted for Impact (MITRE T1486) – Employs partial encryption techniques to encrypt data selectively.

Indicator of Compromise :

  • [file hash] 13A5C3B72F81554E04B56D960D3A503A4B08EC77ABB43756932A68B98DAC1479
  • [file hash] 15D4A2FC500DFA55A64221A0A38D9C47510D8D348D3289C89D26E6184DDD51FF
  • [file hash] 250BCBFA58DA3E713B4CA12EDEF4DC06358E8986CAD15928AA30C44FE4596488
  • [file hash] 27E300FA67828D8FFD72D0325C6957FF54D2DC6A060BBF6FC7AA5965513468E0
  • [file hash] 312F34EE8C7B2199A3E78B4A52BD87700CC8F3AA01AA641E5D899501CB720775
  • Check the article for all found IoCs.

Full Research: https://www.picussecurity.com/resource/blog/blacksuit-ransomware-group

Tags: PROXY, SOC, PAYLOAD, TOOL, EXPLOIT, PHISHING, DISCOVERY, WINDOWS