Introduction
In a collaborative effort, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a comprehensive cybersecurity advisory on the BlackSuit ransomware, an evolution of the Royal ransomware. This advisory provides detailed information on the tactics, techniques, and procedures (TTPs) of BlackSuit, alongside recommended mitigation strategies for organizations to bolster their cybersecurity defenses.
Evolution from Royal to BlackSuit Ransomware
Originally identified as Royal ransomware, BlackSuit represents an evolved and more sophisticated threat, active from approximately September 2022 through June 2023. The ransomware has since exhibited improved capabilities, conducting data exfiltration and extortion prior to encryption, with the threat of publishing victim data on a leak site if ransoms are not paid. The latest advisory, updated on August 7, 2024, highlights new TTPs, indicators of compromise (IOCs), and detection methods related to BlackSuit ransomware.
Key Tactics and Techniques
- Initial Access
- Phishing: BlackSuit actors frequently gain initial access through phishing emails containing malicious PDF documents and malvertising, tricking users into downloading malware.
- Remote Desktop Protocol (RDP): Approximately 13.3% of incidents involve RDP compromise.
- Public-facing Applications: Exploitation of vulnerable public-facing applications is another common entry vector.
- Initial Access Brokers: Utilizing harvested VPN credentials from stealer logs to gain access.
- Command and Control
- Legitimate Software Utilization: BlackSuit actors repurpose legitimate Windows software such as Chisel, SSH clients, PuTTY, OpenSSH, and MobaXterm to establish and maintain command and control (C2) channels.
- Custom Tools: Deployment of tools like SystemBC and Gootloader for additional malicious activities.
- Lateral Movement and Persistence
- RDP and PsExec: Tools like RDP, PsExec, and SMB are used for lateral movement across networks.
- Admin Account Exploitation: Utilizing legitimate admin accounts to disable antivirus software via Group Policy modifications.
- Remote Monitoring and Management (RMM) Software: To maintain persistence in compromised networks.
- Discovery and Credential Access
- Network Enumeration: Tools like SharpShares and SoftPerfect NetWorx are used for network discovery.
- Credential Theft: Publicly available tools like Mimikatz and Nirsoft utilities are employed for credential harvesting.
- Exfiltration and Encryption
- Data Exfiltration Tools: Cobalt Strike, Ursnif/Gozi, RClone, and Brute Ratel are used for aggregating and exfiltrating data.
- Encryption Techniques: Before encryption, BlackSuit actors use Windows Restart Manager and Volume Shadow Copy service to manage and delete shadow copies, respectively, ensuring files are encrypted efficiently without detection.
Mitigation Strategies
Organizations are urged to implement the following actions to mitigate the risks associated with BlackSuit ransomware:
- Patch Management
- Remediate Known Vulnerabilities: Prioritize patching known exploited vulnerabilities to minimize entry points for ransomware.
- User Training
- Phishing Awareness: Conduct regular training sessions to help users recognize and report phishing attempts.
- Multi-Factor Authentication (MFA)
- Enforce MFA: Implement and enforce MFA across all accounts, especially those with privileged access, to add an additional layer of security.
- Network Segmentation
- Zero Trust Architecture: Adopt a Zero Trust approach to network security, ensuring strict access controls and continuous verification of users and devices.
- Endpoint Protection
- Antivirus and EDR: Deploy and maintain updated antivirus and endpoint detection and response (EDR) solutions to detect and block malicious activities.
- Backup and Recovery
- Secure Backups: Ensure that backups are regularly updated, encrypted, and stored offline or in a separate network to prevent ransomware from compromising backup data.
Conclusion
The BlackSuit ransomware, an evolution of the Royal ransomware, poses a significant threat with its advanced TTPs and data exfiltration strategies. Organizations must adopt a multi-faceted approach, incorporating user training, robust patch management, network segmentation, and advanced endpoint protection, to effectively mitigate the risk of ransomware incidents. By following the recommendations provided in this advisory, organizations can strengthen their defenses against the evolving threat landscape posed by ransomware actors like BlackSuit.
For further information and resources on ransomware threats and mitigation strategies, visit stopransomware.gov.