BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware


Researchers went in-depth on an attack by the threat group, which mainly targets US companies in the education and industrial goods sectors, specifically to maximize financial gain.



The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations spanning a year.
Researchers from ReliaQuest analyzed in-depth an attack that took place in April from the ransomware group, which has been
active since May 2023.
The group — believed to be spun off from the Royal ransomware gang — primarily targets US-based companies in critical sectors such as education and industrial goods,
choosing targets carefully
to maximize financial gain, according to a blog post published yesterday.
This targeting pattern strongly suggests a financial motivation with a focus on critical sectors that either have smaller cybersecurity budgets or a low tolerance for downtime, thereby increasing the likelihood of a successful attack or a speedy ransom payment, according to the Reliaquest Threat Research Team post.
BlackSuit uses a double-extortion method and other tactics, techniques, and procedures (TTPs) that reflect a maturity atypical of a group thats only been around for a year. This reflects its origin
in Royal
, which in turn was comprised of members of the formidable and
now-defunct

Conti ransomware gang
.
The groups pedigree, varied malware deployment methods, and advanced encryption and system-recovery processes indicate that BlackSuits operators are likely experienced and technically proficient, the team wrote.
The attack investigated by ReliaQuest shows BlackSuit using an array of of straightforward TTPs that begin including
Kerberoasting
and leveraging
PsExec for lateral movment
, FTP for exfiltration, brute forcing, and the ultimate deployment of ransomware from a virtual machine.
The BlackSuit attack observed in April began when a threat actor gained VPN access to the customers environment through a valid account, likely using credentials that were brute-forced or accessed in a password dump. The VPN was an easy target for initial access because it was a non-primary VPN gateway at a disaster recovery site and was not configured to enforce multifactor authentication or certificate requirements, the team noted.
Over the next week, the attacker moved laterally across several Windows workstations, primarily using PsExec, a remote administration tool that was already in use in the customer environment.
After a three-day pause in the action — likely because the attack was done by an initial-access broker who then sold BlackSuit or one of its affiliates access to the environment — the attack resumed with the attacker authenticating to a Windows server and then downloading a custom payload that allowed loading of Rubeus, a toolkit for
Kerberos abuse
, into PowerShell.
It then compromised more than 20 users through
Kerberoasting
— a
post-exploitation attack
that extracts service account credential hashes from Active Directory for offline cracking, according to security firm Qomplx — as well as an additional account via AS-REP roasting.
The attacker used an unmonitored Windows server to initiate FTP connections to an external IP address to send more than 100 gigabytes of data over the next six hours, then set up a malicious Windows VM likely used to obfuscate the ransomware deployment from endpoint security tools, according to Reliaquest researchers.
The threat actor used PsExec from their VM to copy the ransomware payload — which was hosted on a network share — to hundreds of hosts through Server Message Block (SMB), the team wrote. Following this, WMIC was used to load the ransomware payload as a library, thus executing the encrypter.
Once the attack was detected, the impacted organization took immediate action to roll passwords across the domain and isolate the compromised site from other global locations to limit the impact. It ultimately focused on remediation through hash banning and host isolation using endpoint security solutions, according to Reliaquest.
The customer worked to detect potential data leakage and monitor its digital assets, as well as deployed various detection rules … to strengthen the organizations defensive posture, including those to identify malware, suspicious DNS requests, and lateral movement activities, according to the post.
ReliaQuest revealed several mitigation tactics that organizations can take for each of the attack steps it observed. For instance, to avoid the initial
misconfiguration of the VPN
that allowed for initial access, the team suggested that organizations use centralized change management and version control to deploy network device configurations instead of managing devices individually.
This will cut down on misconfigurations, and, when paired with an automated inventory mapping solution, will help to ensure there are no hidden misconfigured or legacy devices, according to the post.
Organizations also can better track lateral movements by monitoring Windows event logs and deploying a robust endpoint detection and response (EDR) tool, neither of which the customer did.
Many organizations choose not to forward Windows logs from workstations because of ingest restrictions on existing
SIEM licenses
, the team noted. Its important for organizations to be aware of the risks when making this decision and to compensate if possible.
While Kerberoasting is difficult to mitigate entirely, because anyone can request a ticket-granting service (TGS) ticket for any service principal name (SPN) to crack offline, the researchers noted that organizations can take steps to put the burden on the adversary and make it an unattractive option.
One of those is to disable the ability to request weak encryption types to strengthen passwords, which is often more straightforward than retroactively enforcing password complexity, the ReliaQuest team suggested.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware