Researchers Reveal Sophisticated BlackSuit Ransomware Attack

Cybersecurity firm ReliaQuest has published a detailed analysis of a BlackSuit ransomware attack that occurred in April 2024, shedding light on the sophisticated tactics, techniques, and procedures (TTPs) employed by this increasingly active cybercrime group. The attack targeted a multinational organization with a complex IT environment, highlighting the challenges of securing large-scale networks.

Security researchers first observed the double-extortion ransomware group BlackSuit in May 2023. Multiple investigations, including one by the US Department of Health and Human Services, have noted similarities between BlackSuit and the “Royal” ransomware operation, a successor to the now-defunct Conti ransomware gang. The group’s pedigree, varied malware deployment methods, and advanced encryption and system recovery processes indicate that BlackSuit’s operators are likely experienced and technically proficient.

Since commencing operations, BlackSuit has named 53 organizations on its data-leak site. Its victims are largely US-based but span various industry verticals, including education, industrial goods and services, and construction. This targeting pattern strongly suggests a financial motivation with a focus on critical sectors that either have smaller cybersecurity budgets or a low tolerance for downtime, thereby increasing the likelihood of a successful attack or a speedy ransom payment.

ReliaQuest’s investigation unveiled a multi-stage attack lifecycle, initiated through a compromised VPN account likely obtained via brute-force attack or credential stuffing. The attackers then leveraged common tools like PsExec and Rubeus to move laterally within the network, gain elevated privileges, and exfiltrate over 100 gigabytes of sensitive data. The final stage involved encrypting critical systems using ransomware deployed from a virtual machine, a tactic commonly used to evade detection.

The attack exposed several security vulnerabilities within the targeted organization’s environment:

• Misconfigured VPN: The initial compromise was facilitated by a misconfigured VPN gateway that lacked multi-factor authentication (MFA) or certificate-based authentication.
• Insufficient Logging: The absence of comprehensive logging on certain endpoints hindered the organization’s ability to track lateral movement during the initial stages of the attack.
• Weak Encryption and Passwords: The attackers exploited weak encryption types and weak passwords to gain access to additional accounts through Kerberoasting.

The recent BlackSuit ransomware attack underscores the importance of robust cybersecurity measures and proactive threat detection. Organizations must prioritize asset inventory, endpoint visibility, and defense-in-depth strategies to protect against sophisticated ransomware threats. Implementing automation in response and containment can significantly mitigate the impact of such attacks. To enhance security, organizations should adopt comprehensive monitoring solutions and enforce strong authentication practices.