BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware

The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations spanning a year.

Researchers from ReliaQuest analyzed in-depth an attack that took place in April from the ransomware group, which has been active since May 2023. The group — believed to be spun off from the Royal ransomware gang — primarily targets US-based companies in critical sectors such as education and industrial goods, choosing targets carefully to maximize financial gain, according to a blog post published yesterday.

"This targeting pattern strongly suggests a financial motivation with a focus on critical sectors that either have smaller cybersecurity budgets or a low tolerance for downtime, thereby increasing the likelihood of a successful attack or a speedy ransom payment," according to the Reliaquest Threat Research Team post.

BlackSuit uses a double-extortion method and other tactics, techniques, and procedures (TTPs) that reflect a maturity atypical of a group that's only been around for a year. This reflects its origin in Royal, which in turn was comprised of members of the formidable and now-defunct Conti ransomware gang.

"The group's pedigree, varied malware deployment methods, and advanced encryption and system-recovery processes indicate that BlackSuit's operators are likely experienced and technically proficient," the team wrote.

The attack investigated by ReliaQuest shows BlackSuit using an array of of "straightforward TTPs" that begin including Kerberoasting and leveraging PsExec for lateral movment, FTP for exfiltration, brute forcing, and the ultimate deployment of ransomware from a virtual machine.

In-Depth Attack Sequence

The BlackSuit attack observed in April began when a threat actor gained VPN access to the customer's environment through a valid account, likely using credentials that were brute-forced or accessed in a password dump. The VPN was an easy target for initial access because it was "a non-primary VPN gateway at a disaster recovery site and was not configured to enforce multifactor authentication or certificate requirements," the team noted.

Over the next week, the attacker moved laterally across several Windows workstations, primarily using PsExec, a remote administration tool that was already in use in the customer environment.

After a three-day pause in the action — likely because the attack was done by an initial-access broker who then sold BlackSuit or one of its affiliates access to the environment — the attack resumed with the attacker authenticating to a Windows server and then downloading a custom payload that allowed loading of Rubeus, a toolkit for Kerberos abuse, into PowerShell.

It then compromised more than 20 users through Kerberoasting — a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking, according to security firm Qomplx — as well as an additional account via AS-REP roasting.

The attacker used an unmonitored Windows server to initiate FTP connections to an external IP address to send more than 100 gigabytes of data over the next six hours, then set up a malicious Windows VM likely used "to obfuscate the ransomware deployment from endpoint security tools," according to Reliaquest researchers.

"The threat actor used PsExec from their VM to copy the ransomware payload — which was hosted on a network share — to hundreds of hosts through Server Message Block (SMB)," the team wrote. "Following this, WMIC was used to load the ransomware payload as a library, thus executing the encrypter."

Once the attack was detected, the impacted organization took immediate action to roll passwords across the domain and isolate the compromised site from other global locations to limit the impact. It ultimately focused on remediation through hash banning and host isolation using endpoint security solutions, according to Reliaquest.

The customer worked to detect potential data leakage and monitor its digital assets, as well as deployed "various detection rules … to strengthen the organization's defensive posture, including those to identify malware, suspicious DNS requests, and lateral movement activities," according to the post.

Mitigating Various Ransomware Attack Stages

ReliaQuest revealed several mitigation tactics that organizations can take for each of the attack steps it observed. For instance, to avoid the initial misconfiguration of the VPN that allowed for initial access, the team suggested that organizations use centralized change management and version control to deploy network device configurations instead of managing devices individually.

This "will cut down on misconfigurations, and, when paired with an automated inventory mapping solution, will help to ensure there are no hidden misconfigured or legacy devices," according to the post.

Organizations also can better track lateral movements by monitoring Windows event logs and deploying a robust endpoint detection and response (EDR) tool, neither of which the customer did.

"Many organizations choose not to forward Windows logs from workstations because of ingest restrictions on existing SIEM licenses," the team noted. "It's important for organizations to be aware of the risks when making this decision and to compensate if possible."

While Kerberoasting is difficult to mitigate entirely, "because anyone can request a ticket-granting service (TGS) ticket for any service principal name (SPN) to crack offline," the researchers noted that organizations can take steps "to put the burden on the adversary and make it an unattractive option."

One of those is to disable the ability to request weak encryption types to strengthen passwords, "which is often more straightforward than retroactively enforcing password complexity," the ReliaQuest team suggested.