BlackSuit Ransomware Group Ramps Up Operations

Researchers said BlackSuit ransomware activity has jumped starting in March, and warn that the group may be building up its operations. The ransomware emerged last year as a rebrand of the Royal ransomware. Since then, researchers with Palo Alto Networks’ Unit 42 team said they’ve seen the group behind the ransomware - which they categorize as “Ignoble Scorpius” - targeting at least 93 victims globally.

“Since the rebrand, Unit 42 has observed at least 93 victims globally and an upward trend in the number of successful compromises shared on their leak site. This suggests an overall ramping up of operations,” said researchers in a new report on Wednesday. 

Why It Matters: BlackSuit may not be in the top ten ransomware groups when looking at its number of compromises, but Unit 42 researchers pointed to several characteristics of the ransomware that are concerning for businesses. The ransomware group showcases a high level of sophistication in its compromises, for instance, and it has carried out complex supply-chain attacks. 

By the Numbers:

• A quarter of BlackSuit’s victims are in the construction and manufacturing industries. Other top targeted industries include the education, retail and healthcare sectors

• Researchers said the group’s initial ransom demands average about 1.6 percent of targeted organizations’ annual revenue - and the median victim revenue across all industries is around $19.5 million 

• The majority (over 40) of victim organizations are based in the United States

The Ransomware: Many tactics and techniques used by BlackSuit have been documented by both security researchers (for instance, by Reliaquest and the DFIR Report) and the U.S. government already. The group uses various initial access mechanisms to compromise its targets, including phishing messages with malicious attachments, SEO poisoning via GootLoader, legitimate VPN credentials and software supply chain attacks. BlackSuit is also known for using credential theft tools like Mimikatz and NanoDump, and leveraging vulnerable drivers or loaders in order to disable or bypass security defense tools. 

“The final ransomware payload has Windows and Linux operating system variants with specific functionality to target VMware ESXi servers in some Linux variants,” said Unit 42 researchers.

The Big Picture: Ransomware groups frequently rebrand to throw defenders off track, and to avoid law enforcement interest and public scrutiny. BlackSuit, which has rebranded from Royal (a successor to the former Conti group), includes members from both these ransomware groups. For organizations, ransomware group rebranding makes it more difficult to track the tactics used by the group so that defense teams can better understand and protect against them, said researchers. 

“A more subtle effect of rebranding is the perception it can have on defenders,” said researchers with Unit 42. “Rebranding resets this perception, and if it is accompanied with a shift in the group’s TTPs, it can place defenders on their back foot.”