On August 7th, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an update to an existing advisory (AA23-061A) highlighting new TTPs being leveraged by the recently rebranded “Royal” ransomware gang – now known as BlackSuit. Detailed information about this threat and the associated IOCs and TTPs can be seen on #StopRansomware: Blacksuit (Royal) Ransomware.
This blog will share an overview of the threat and our updated coverage for this threat actor. As a SafeBreach customer, you will have access to all the attacks listed below and more to validate your organizational security controls against this threat group.
US CERT ALERT AA23-061A- BlackSuit (Royal) Ransomware – UPDATED on August 7, 2024
BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. The BlackSuit ransomware shares several coding similarities with Royal ransomware and exhibits several improved capabilities as compared to the original variant. Based on the information provided in the updated advisory, the BlackSuit threat group conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. The threat actors leverage phishing emails to gain initial access to victims and once they gain access, disable installed antivirus tools before exfiltrating large amounts of data and then encrypting victim systems.
Their ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. However, the largest individual demand has been nearly $60 million (with a total of $500 million in ransom demanded from all victims). Several victims have recently reported receiving telephonic or email communications from BlackSuit actors regarding the compromise and ransom.
Technical Details
The authoring agencies have provided information on how BlackSuit threat actors target and attack their victims.
- Initial Access- Threat actors use one of the following methods to gain initial access to victim networks:
- Phishing is the most used method to gain initial access to victim networks. They typically deliver ransomware via infected PDF files and malvertising.
- Remote Desktop Protocol (RDP) is the 2nd most used method to gain initial access (typically via RDP compromise).
- Exploitation of vulnerable public facing applications and harvesting stolen credentials from stealer logs have also been used to gain initial access to victim networks.
- Command and Control – Once initial access has been gained, BlackSuit threat actors typically communicate with command and control (C2) infrastructure and download multiple tools (including open-source tools) to strengthen their foothold within the victim’s network. These tools include Chisel, Secure Shell (SSH) client, PuTTY, OpenSSH, and MobaXterm.
- Lateral Movement and Persistence – In addition to using RDP and PsExec, BlackSuit threat actors have also used SMB to move laterally. They were observed using a legitimate admin account to remotely log on to the domain controller via SMB and then disable the deployed AV software. Threat actors also used legitimate remote monitoring and management (RMM) software (in addition to SystemBC and Gootloader malware) to maintain persistence in victim networks.
- Discovery and Credential Access – Tools like SharpShares and SoftPerfect NetWorx were used to enumerate victim networks. Tools such as PowerTool and GMER were also used to kill system processes.
- Exfiltration – Repurposing legitimate cyber penetration testing tools, such as Cobalt Strike, and malware tools/derivatives, such as Ursnif/Gozi were used for data aggregation and exfiltration.
- Encryption – BlackSuit threat actors use a unique partial encryption approach that allows them to choose a specific percentage of data in a file to encrypt. This enables them to lower the encryption percentage for larger files, helping evade detection, and also significantly improve ransomware speed.
Important Note for SafeBreach Customers – Coverage for AA23-061A- BlackSuit (Royal) Ransomware
As soon as details were made available, the SafeBreach Labs teams added new attacks based on the advisory and mapped existing attacks in the Hacker’s Playbook to these US-CERT alerts immediately. It is important to note that existing SafeBreach customers already had a good level of coverage against tactics and techniques previously leveraged by the Royal ransomware group identified in the advisory. Please run/re-run the attacks listed below to ensure your environments are protected against these TTPs.
NEW IOC-Based Playbook Attacks Related to AA23-061A- BlackSuit (Royal) Ransomware
- #10428 – Write BlackSuit (65be13) trojan to disk
- #10429 – Pre-execution phase of BlackSuit (65be13) trojan (Windows)
- #10430 – Transfer of BlackSuit (65be13) trojan over HTTP/S
- #10431 – Transfer of BlackSuit (65be13) trojan over HTTP/S
- #10432 – Email BlackSuit (65be13) trojan as a compressed attachment
- #10433 – Email BlackSuit (65be13) trojan as a compressed attachment
Existing IOC-based Attacks Related to AA23-061A- BlackSuit (Royal) Ransomware
- Royal Ransomware
- #8203 – Pre-execution phase of Royal Ransomware
- #8204 – Write Royal Ransomware to disk
- #8205 – Transfer of Royal Ransomware over HTTP/S
- #8206 – Transfer of Royal Ransomware over HTTP/S
- #8207 – Email Royal Ransomware as a ZIP attachment
- #8208 – Email Royal Ransomware as a ZIP attachment
- #8290 – Pre-execution phase of Royal Ransomware (d429)
- #8291 – Write Royal Ransomware (d429) to disk
- #8292 – Transfer of Royal Ransomware (d429) over HTTP/S
- #8293 – Transfer of Royal Ransomware (d429) over HTTP/S
- #8294 – Email Royal Ransomware (d429) as a ZIP attachment
- #8295 – Email Royal Ransomware (d429) as a ZIP attachment
- #8296 – Pre-execution phase of Royal Ransomware (1926)
- #8297 – Write Royal Ransomware (1926) to disk
- #8298 – Transfer of Royal Ransomware (1926) over HTTP/S
- #8299 – Transfer of Royal Ransomware (1926) over HTTP/S
- #8300 – Email Royal Ransomware (1926) as a ZIP attachment
- #8301 – Email Royal Ransomware (1926) as a ZIP attachment
- Chisel:
- #5461 – Pre-execution phase of ar20-259a_chisel malware
- #5462 – Write ar20-259a_chisel malware to disk
- #5463 – Transfer of ar20-259a_chisel malware over HTTP/S
- #5464 – Transfer of ar20-259a_chisel malware over HTTP/S
- #5465 – Email ar20-259a_chisel malware as a ZIP attachment
- #5466 – Email ar20-259a_chisel malware as a ZIP attachment
- #5486 – Communication with ar20-259a_Chisel using HTTP
- #8652 – Write Chisel hacktool to disk
- #8653 – Pre-execution phase of Chisel hacktool (Windows)
- #8654 – Transfer of Chisel hacktool over HTTP/S
- #8655 – Transfer of Chisel hacktool over HTTP/S
- #8656 – Email Chisel hacktool as a ZIP attachment
- #8657 – Email Chisel hacktool as a ZIP attachment
- BatLoader
- #8658 – Write BatLoader downloader to disk
- #8659 – Transfer of BatLoader downloader over HTTP/S
- #8660 – Transfer of BatLoader downloader over HTTP/S
- #8661 – Email BatLoader downloader as a ZIP attachment
- #8662 – Email BatLoader downloader as a ZIP attachment
- NirCmd
- #8663 – Write NirCmd hacktool to disk
- #8664 – Transfer of NirCmd hacktool over HTTP/S
- #8665 – Transfer of NirCmd hacktool over HTTP/S
- #8666 – Email NirCmd hacktool as a ZIP attachment
- #8667 – Email NirCmd hacktool as a ZIP attachment
Existing Behavioral Attacks Related to AA23-061A- BlackSuit (Royal) Ransomware
- Indicator Removal: Clear Windows Event Logs
- #7554 – Clear Windows Event Logs
- Remote Desktop Protocol
- #192 – Brute force attack over RDP protocol
- #6473 – Agentless lateral movement via RDP
- #6909 – RDP Connection Between 2 Simulators
- #6910 – RDP Tunneling
- Impair Defenses: Disable or Modify Tools
- #2267 – Add an exclusion to Windows Defender using PowerShell
- #2389 – Modify Firewall Rules using netsh.exe
- #5107 – Stop a service using net stop command
- #7144 – Unregister anti malware scanning interface providers
- #7834 – Add Exclusions to Windows Defender
- #7835 – Disable Windows Defender From Registry
- Delete shadow copy
- #6372 – Modify Volume Shadow Copy (VSS)
What You Should Do Now
SafeBreach customers can now validate their security controls against these TTPs in multiple ways.
Method 1 – You can go to the “SafeBreach Scenarios” page and choose the AA23-061A- Blacksuit (Royal) Ransomware
Method 2 – From the Attack Playbook, select and filter attacks related to AA23-061A- Blacksuit (Royal) Ransomware. Additionally, you can refer to the list above as well to ensure a comprehensive level of coverage.
Method 3 – From the Known Attack Series report, select the US-CERT Alert AA23-061A (Royal Ransomware) report and select Run Simulations, which will run all attack methods.
NOTE – FBI and CISA recommend continually validating your security program, at scale, in a production environment to ensure optimal performance against growing threat of advanced cyber threats. Additional recommendations can be seen in the advisory (linked below):
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways.
- Require all accounts with password logins.
- Disable unused or unnecessary network services, ports and protocols.
- Keep all operating systems, software, and firmware up to date.
- Require Phishing-Resistant multifactor authentication to administrator accounts.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- For additional recommendations, please review the advisory in detail.