According to an updated advisory from the United States (US) Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI), the BlackSuit ransomware strain is known to have had demands totaling up to $500 million in payments. In this article, we’ll dive into the details of the ransomware attacks, determine who the key targets were, and uncover attack techniques. Let’s begin!

BlackSuit Ransomware Evolution And Targets

As per the information available, the BlackSuit ransomware is an evolution of the Royal ransomware. It uses phishing email to acquire initial access and then leverages the acquired access for disarming antivirus and exfiltrating sensitive data. Once these attack objectives are completed, it deploys the ransomware and encrypts compromised systems.

Threat actors deploying the BlackSuit ransomware can also acquire initial access via Remote Desktop Protocol (RDP) exploitation of vulnerable internet-facing applications or can purchase it from initial access brokers (IABs). To maintain persistence within a compromised system, legitimate software like SystemBC and GootLoader are used.

Recent reports claim that attacks using the BlackSuit ransomware have primarily targeted government facilities, healthcare and public health, commercial facilities, and critical infrastructure and manufacturing facilities.

BlackSuit Ransomware Tools and Techniques

When it comes to the tools and techniques used in the BlackSuit ransomware attacks, the agencies have stated that:

“BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks. The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes.”

In addition, both the CISA and FBI have warned that telephonic or email communication from the BlackSuit ransomware threat actors is now prevailing as a method of pressurizing victims. Certain threat actors also assess the stolen data for various purposes that include:

• Evidence of illegal activity.
• Regulatory non-compliance.
• Financial discrepancies.

The underlying aim of such data assessments is to gain leverage over the victims and use it to pressure them further. Reports claim that in one particular case, an employee who was searching for child sexual abuse material was threatened to have their browsing history made public.

These aggressive tactics entail that cybercriminals are willing to go to unimaginable lengths when attempting to get ransom payments from the victims. Apart from the monetary losses, such disclosures also leave victims open to reputational damage and legal consequences.

Phishing And Ransomware Mitigation

Given the severe aftermath of falling prey to the BlackSuit ransomware, it’s imperative for individuals and organizations to comprehend how the attack can be mitigated. As of now the FBI has recommended the use of sufficient password protection admin, domain admin, and all other accounts.

In addition to password protection, other measures such as multi-factor authentication and multi-attempt lockouts must also be used. Individual and organizational users are also encouraged to install all updates and patches in a timely manner, as it can help eliminate the possibility of attacks that exploit flaws persistent in outdated versions.

Conclusion

The BlackSuit ransomware poses a significant threat with its evolving tactics and high ransom demands. Organizations must remain vigilant, implement robust cybersecurity measures, and stay informed about emerging threats to protect against potential attacks and mitigate the devastating consequences of falling victim to this dangerous ransomware strain.

The sources for this piece include articles in The Hacker News and Forbes.

The post BlackSuit Ransomware Threat Actors Demand Up To $500 Million appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/blacksuit-ransomware-threat-actors-demand-up-to-500-million/