Full Report
Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
Analysis Summary
# Tool/Technique: BlackSuit Ransomware
## Overview
BlackSuit is a ransomware family observed in attacks starting around mid-2023. It is widely believed to be a rebrand or spin-off of the Royal ransomware gang, which itself evolved from the Conti group. BlackSuit employs a hybrid approach involving data exfiltration prior to file encryption and features unique execution behaviors.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Inferred from tool usage like PsExec, vssadmin)
- Capabilities: Data encryption, data exfiltration, attempts to disable recovery mechanisms.
- First Seen: Mid-2023 (Emerged)
## MITRE ATT&CK Mapping
The attack chain involving BlackSuit incorporates techniques from multiple tactics:
- [TA0008 - Lateral Movement]
- [T1021 - Remote Services]
- [T1021.002 - Remote Services: SMB/Windows Admin Shares] (via PsExec)
- [T1569.002 - System Services: Service Execution] (via PsExec)
- [TA0011 - Command and Control]
- [T1105 - Ingress Tool Transfer] (Used by Cobalt Strike component)
- [TA0006 - Credential Access]
- [T1003.001 - OS Credential Dumping: LSASS Memory] (Leveraged via Cobalt Strike)
- [TA0010 - Exfiltration]
- [T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage] (via rclone)
- [TA0005 - Defense Evasion]
- [T1614 - System Location Discovery] (Used to avoid encrypting system directories)
- [TA0040 - Impact]
- [T1490 - Inhibit System Recovery] (via vssadmin.exe)
- [T1486 - Data Encrypted for Impact] (File encryption)
## Functionality
### Core Capabilities
- File Encryption: Encrypts targeted files on victim systems.
- Data Exfiltration: Exfiltrates sensitive data before encryption, potentially reducing the scope for encryption or maximizing extortion leverage against the victim.
- Deletion of Stolen Data: Deletes parts of the targeted data after exfiltration.
- Attempted Recovery Inhibition: Uses `vssadmin.exe` to delete Volume Shadow Copies.
### Advanced Features
- **Hybrid Operation:** Executes both data exfiltration and file encryption stages.
- **Speed Optimization:** Exfiltrating/deleting some data first to decrease the overall encryption target, resulting in a speedier attack flow.
- **Execution Flag:** Unusual use of the `-nomutex` flag during execution, which permits multiple instances of the ransomware to run concurrently.
- **Ransom Demand:** Initial ransom note does not state the amount; negotiation and payment (often $1M-$10M USD in Bitcoin) require direct contact via a TOR browser.
## Indicators of Compromise
(Note: Specific file hashes, network IPs, or full filenames related *only* to the BlackSuit payload were not provided in the text, only related staging indicators.)
- File Hashes: [Not explicitly provided for the BlackSuit binary itself]
- File Names:
- Cobalt Strike beacons copied to `C:\Windows\Temp` (e.g., `vm.dll`, `vm80.dll`).
- Registry Keys: [Not explicitly provided]
- Network Indicators: [C2 related to the auxiliary tool Cobalt Strike, but specific IoCs are not detailed, only the mechanisms used.]
- Behavioral Indicators:
- Execution of `vssadmin.exe` to delete shadow copies.
- Use of `rclone.exe` for cloud storage exfiltration.
- Execution of `PsExec.exe` for remote command execution.
- Execution of `Configure-SMRemoting.exe` to enable remote control.
- Attempting to call the function `ExportFunc64_` from copied Cobalt Strike beacons.
## Associated Threat Actors
- BlackSuit ransomware group (Believed to be a rebrand/spin-off of Royal ransomware, which evolved from Conti).
## Detection Methods
- (Detection methods were not explicitly detailed, focusing instead on observed TTPs.)
- **Behavioral Detection:** Monitoring for the coordinated use of tools like Cobalt Strike, rclone, PsExec, and vssadmin in sequence. Monitoring for file encryption activity targeting specific file types while ignoring standard system directories.
- **Signature-based detection:** Potential signatures against known Cobalt Strike beacon DLLs found in staging directories like `C:\Windows\Temp`.
## Mitigation Strategies
- **Network Segmentation:** To limit the effectiveness of lateral movement tools like PsExec and RDP.
- **Restrict Administrative Tools:** Implement strict controls over the execution of tools like `PsExec.exe` and `rclone.exe`.
- **VSS Protection:** Implement measures to prevent malware from executing commands that delete Volume Shadow Copies (e.g., `vssadmin delete shadows /all`).
- **Disable/Restrict RDP:** Harden Remote Desktop Protocol configurations or restrict its use.
- **Security Software Hardening:** Ensure security software is actively monitoring and configured to prevent known signatures associated with Cobalt Strike beacon deployment.
## Related Tools/Techniques
- **Cobalt Strike:** Used as the primary attack tool for command and control and lateral movement.
- **rclone:** Used for data exfiltration to cloud storage.
- **PsExec.exe:** Used for lateral movement and remote command execution.
- **RDP (Remote Desktop Protocol):** Used for lateral movement.
- **vssadmin.exe:** Used to inhibit system recovery.
- **Royal Ransomware:** Predecessor group/family.
- **Conti:** Ancestor group.