2024-11-28

BlackSuit Ransomware Group 93 Victims and Rising Amid Escalating Activities

Level: 
Tactical
  |  Source: 
Unit 42
Construction
Education
Healthcare
Logistics
Manufacturing
Non-profit Organizations
Retail
Technology
Transportation
Wholesale
Share:

BlackSuit Ransomware Group 93 Victims and Rising Amid Escalating Activities

The BlackSuit ransomware gang, identified as a "direct evolution" of Royal ransomware, has steadily increased its activity and is tracked by Unit 42 under the alias "Ignoble Scorpius." Unit 42's report warns this group’s personnel includes experienced members, as their "membership likely includes members from Conti and Royal ransomware." Since emerging in May 2023, BlackSuit has compromised at least 93 victims, with activity on its leak site peaking at 10 victims in May 2024 and consistent posts recorded between June and October 2024. Relative highs of 8 posts occurred in July and September, while other months saw fewer than five, with some as low as two. A broad range of verticals has been targeted, with education (13.9%), construction (12.5%), manufacturing (11.1%), wholesale and retail (9.7%), and healthcare (8.3%) most affected. Sectors such as non-profit, state and local government, transportation, logistics, and technology each accounted for 5.6%, while unspecified categories comprised 22.2%. Geographically, the United States was overwhelmingly impacted, with the United Kingdom a distant second. Ransom demands are significant; Unit 42 reports that "on average, the initial ransom demand is about 1.6% of the victim organization’s annual revenue. As of the date of this report, the median victim revenue across all industries is roughly $19.5 million."

BlackSuit’s operational lifecycle encompasses a wide array of initial access vectors. The group utilizes initial access brokers (IABs) and traditional methods, including phishing, leveraging stolen credentials, distributing GootLoader via SEO poisoning, and orchestrating supply chain attacks. Post-compromise techniques include targeting credentials with tools like Mimikatz and NanoDump, dumping the LSASS process, and compromising Active Directory by extracting the ‘NTDS.dit’ file using ntdsutil. Additionally, they execute DCSync attacks and exploit Kerberos tickets to escalate privileges and facilitate further operations.

For lateral movement, Ignoble Scorpius leverages remote protocols such as RDP, SMB, and PsExec to navigate victim environments. The group disables antivirus and endpoint detection and response (EDR) systems by abusing vulnerable drivers. Data exfiltration is achieved using tools like WinSCP for FTP and Rclone, with Rclone often renamed to "svchost.exe" to evade detection. Compression tools such as WinRAR and 7-Zip are employed to prepare files for exfiltration.

BlackSuit ransomware variants are tailored to Windows, Linux, and ESXi environments, enabling the group to target diverse infrastructures. The ransomware encrypts data using OpenSSL AES, appending the .blacksuit extension to encrypted files. On Windows systems, BlackSuit terminates processes to optimize encryption coverage, using tools like PsExec and WMIC for network propagation. In ESXi environments, VMware-related files are specifically targeted, with additional command-line arguments like -vmkill to halt virtual machines before encryption.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now