'Ransomware in focus' is our new series aimed at unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures behind their operations, this series serves to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware.
In our first instalment, Melissa DeOrio, Global Threat Intelligence Lead, details information about the operations of BlackSuit.
Background
BlackSuit is believed to be a sophisticated and financially-motivated cybercriminal group. First identified in May 2023, though not a prolific group, BlackSuit is believed to be comprised of highly skilled ransomware operators due to claimed associations to the Royal and Conti ransomware groups - historically highly organised and skilled ransomware groups. Since the group operates in a closed model, less information about their associates is publicly identifiable, however the group’s suspected ties to Royal indicate it is likely that the group is comprised of members with an origin in Russia and former Soviet Union countries.
Motivations
BlackSuit is a financially-motivated group that opportunistically targets all sectors. BlackSuit seeks to exfiltrate sensitive information from a target, encrypt their data, and monetise through extortion.
Business model
BlackSuit operates a private ransomware operation rather than a Ransomware-as-service model, meaning that it does not allow affiliates to rent their encryptor in exchange for a portion of the ransomware payout. The decision to operate a private group can indicate a close-knit relationship between members and often appeals to actors who desire increased operational security due to the decreased risk of law enforcement infiltration and insider threats.
Affiliations
It is highly likely that BlackSuit is a spin-off of the Royal ransomware group. We make this statement with high confidence based on several independent technical analyses and government reports regarding the group’s associations. Technical analysis of the BlackSuit and Royal ransomware binaries conducted by several independent organisations have identified that the binaries are nearly identical. Similarities include the code’s command line arguments, code similarities, file exclusion and the use of similar intermittent encryption techniques. In November 2023, the US Government announced the potential for BlackSuit to be a planned spin-off of the Royal variant. Though this has not been directly confirmed, similarities between the brands suggest there’s a high likelihood that the malware was written by the same author or in close collaboration with Royal. The degree of cross-over between the members of BlackSuit and Royal, or its predecessor, cannot be confirmed.
Victimology
Since their emergence in May 2023, BlackSuit has breached at least 95 organisations globally, though the true number of victims is likely higher. Despite confirmed attacks against several critical infrastructure sectors, we assess with moderate confidence that the group targets organisations indiscriminately based on the identification of victims across a wide variety of sectors on the group’s leak site.
88%
of victims are SMEs
The majority of BlackSuit’s victims to date have been small-medium sized businesses (businesses with fewer than 1,000 employees).
Companies targeted in the last 30 days, by country*
Source: ecrime.ch
Notable Attacks
- In June 2024, BlackSuit hacked into CDK Global, a software used widely by car dealerships across the United States. The attack forced the organisation to shut down IT systems and data centres, which resulted in widespread disruption to sales departments at dealerships across the country. Many dealerships were forced to manually process transactions for extended periods of time.
- The group also targeted Kansas City, Kansas, publishing hundreds of sensitive files from the city’s police department following their refusal to pay the group’s ransom demand in June 2024.
Companies targeted in the last 30 days, by sector*
Source: ecrime.ch
*Data based on victims posted to the actor’s leak site, and thus unlikely to be comprehensive of all victims.
Tactics, Techniques and Procedures (TTPs)
Initial access
BlackSuit has been observed exploiting single-factor Virtual Private Networks (VPNs) for initial access. It is unclear how BlackSuit initially obtained the valid credentials, but commonly used techniques include obtaining credentials through breached data, using an initial access broker or conducting a brute-force attack. The group has also been found to leverage highly sophisticated spear-phishing campaigns.
Propagation
Once within a network, BlackSuit has leveraged tools such as Advanced IP Scanner for network reconnaissance, AnyDesk and ConnectWise for persistence, and moves laterally through a network using tools like PsExec. In some cases, BlackSuit has utilised the Kerberoasting technique to obtain password hashes of Active Directory accounts with a Service Principal Name.
Encryption
BlackSuit primarily targets Linux and Windows systems, utilises an AES algorithm to encrypt files and uses intermittent encryption, which enables swift encryption across a network. Currently there is no known public decryptor for the ransomware variant.
Extortion
BlackSuit employs double-extortion (the theft and encryption of data) to pressure victims to pay a ransom and has a reputation for asking for high ransom demands, with reported average initial demands in excess of USD 2 million. In particular, the group is known to make high demands where they are confident in the sensitivity of the data exfiltrated. The group has been observed regularly following through on threats to post victims’ names and sensitive data to their leak site in the absence of payment. They are also reported to uphold negotiation commitments when payments are made, likely driven by the group’s broader goal of appearing credible to future victims.