The leaking of stolen data by the BlackSuit ransomware gang from attacks on 53 organizations over the past year has raised significant concerns about cybersecurity threats impacting critical sectors. A recent analysis by researchers from ReliaQuest delved deep into an attack that occurred in April, shedding light on the operations of this ransomware group that has been active since May 2023. The BlackSuit gang, believed to have split from the Royal ransomware gang, primarily focuses on targeting US-based companies in sectors such as education and industrial goods to maximize financial gains.
The targeting patterns of BlackSuit suggest a strong financial motivation, with a keen emphasis on critical sectors with smaller cybersecurity budgets or low tolerance for downtime. This calculated approach increases the likelihood of successful attacks or prompt ransom payments, as indicated by the Threat Research Team at ReliaQuest. The group’s utilization of double-extortion methods and sophisticated tactics, techniques, and procedures (TTPs) demonstrate a level of maturity not commonly associated with a group only a year old. This maturity can be traced back to the group’s origins in the Royal ransomware gang, which comprised members of the now-defunct Conti ransomware gang.
The technical proficiency and experience of BlackSuit’s operators are evident in their deployment of varied malware methods and advanced encryption and system-recovery processes. The attack analyzed by ReliaQuest showcased BlackSuit employing a range of TTPs, including using Kerberoasting, PsExec for lateral movement, FTP for data exfiltration, brute-forcing, and ultimately deploying ransomware from a virtual machine.
The in-depth analysis of the April attack revealed a multi-step sequence that began with threat actors gaining VPN access to a customer’s environment through brute-forced or stolen credentials. The attacker then moved laterally across multiple Windows workstations using tools like PsExec before deploying custom payloads like Rubeus for Kerberos abuse. The attack involved compromising user accounts through Kerberoasting and AS-REP roasting, culminating in the exfiltration of over 100 gigabytes of data and the deployment of ransomware from a malicious Windows VM.
Upon detection of the attack, the impacted organization took swift action to contain the breach, change passwords, and isolate compromised systems to mitigate the impact. The post-incident response focused on strengthening security measures, including monitoring for data leakage, enhancing detection rules, and isolating hosts using endpoint security solutions.
To mitigate various stages of ransomware attacks, organizations can implement proactive measures such as centralized change management for network devices, monitoring Windows event logs, deploying robust endpoint detection and response tools, and disabling weak encryption types to strengthen passwords. While challenges persist in mitigating threats like Kerberoasting, organizations can adopt strategies to deter attackers and enhance their defensive posture against evolving ransomware tactics.
In conclusion, the evolving landscape of ransomware threats underscores the critical need for organizations to bolster their cybersecurity defenses, enhance threat detection capabilities, and implement robust incident response protocols to mitigate the impact of sophisticated attacks like those orchestrated by the BlackSuit ransomware gang. By staying vigilant, proactive, and adaptive in their security practices, organizations can better protect their valuable data and infrastructure from the growing menace of ransomware threats.