Summary:
Unit 42 has reported a significant increase in BlackSuit ransomware activity, which is a rebranding of the Royal ransomware. Since its emergence in May 2023, the group, tracked as Ignoble Scorpius, has targeted at least 93 victims globally, primarily in the construction and manufacturing sectors. The average ransom demand is approximately 1.6% of the victim’s annual revenue, highlighting the financial impact on organizations.
Keypoints:
BlackSuit ransomware is a rebrand of Royal ransomware, tracked by Unit 42 as Ignoble Scorpius.
Since March 2024, there has been an increase in BlackSuit ransomware activity.
At least 93 victims have been identified globally, with a focus on construction and manufacturing sectors.
The average ransom demand is about 1.6% of the victim organization’s annual revenue.
The median revenue of victims is approximately $19.5 million.
BlackSuit operates a dark web leak site to extort victims by publishing their names and stolen data.
Initial access methods include phishing, SEO poisoning, and software supply chain attacks.
Credential access techniques involve tools like Mimikatz and NanoDump.
Victims are primarily located in the United States.
MITRE Techniques
Initial Access (T1566.001): Utilizes phishing campaigns with malicious email attachments.
Initial Access (T1608.006): Employs SEO poisoning with GootLoader.
Initial Access (T1078): Uses legitimate VPN credentials obtained via social engineering.
Initial Access (T1195.002): Conducts software supply chain attacks.
Credential Access (T1003.001): Dumps LSASS via Taskmgr.
Credential Access (T1003.006): Performs DCSync attacks.
Credential Access (T1557): Uses Impacket for adversary-in-the-middle attacks.
Credential Access (T1558.002): Requests Kerberos service tickets.
Credential Access (T1003.003): Dumps NTDS.dit file via ntdsutil.
Lateral Movement (T1021.001): Moves laterally using RDP.
Lateral Movement (T1021.002): Uses SMB for lateral movement.
Lateral Movement (T1570): Employs PsExec for lateral movement.
Defense Evasion (T1562.001): Disables antivirus and EDR solutions using vulnerable drivers.
Exfiltration (T1048): Exfiltrates data using WinRAR, 7-Zip, and Rclone.
Execution (T1486): Encrypts files using BlackSuit ransomware.
Impact (T1490): Deletes shadow backups to inhibit system recovery.
Impact (T1486): Encrypts data for impact.
IoC:
[url] hxxp[://]weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd[.]onion
[others] Mutex: GlobalWLm87eV1oNRx6P3E4Cy9
[file name] README.BlackSuit.txt
[file hash] Not specified
[tool name] Rclone
[tool name] Mimikatz
[tool name] NanoDump
[tool name] Cobalt Strike
[tool name] SystemBC
Full Research: https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/