CISA and FBI Release Update to Advisory – Royal Ransomware Actors Rebrand as “BlackSuit,”: August 7, 2024

Blacksuit Ransomware CISA and FBI Advisory Update

After gaining access to victims’ networks, BlackSuit actors disable antivirus software and extract large amounts of data before ultimately deploying the ransomware and encrypting the systems.

CISA and the Federal Bureau of Investigation (FBI) jointly released an update to Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. This updated advisory originally published March 2, 2023, offers cybersecurity teams insights into the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) linked to BlackSuit and legacy Royal operations. FBI investigations have pinpointed these TTPs and IOCs as recently as July 2024.

Updates:

  • November 13, 2023: The advisory was updated to share new Royal TTPs and IOCs.
  • August 7, 2024:
    • The rebrand of “Royal” ransomware actors to “BlackSuit.” including new TTPs, IOCs, and detection methods related to BlackSuit ransomware.
    • The“Royal” ransomware has transformed to “BlackSuit” ransomware, known to wreak havoc from around September 2022 to June 2023.
    • BlackSuit shows coding similarities with Royal ransomware, demonstrating enhanced functionalities. 
    • BlackSuit engages in data exfiltration and extortion before encrypting data, subsequently publishing the victim's data on a leak site if the ransom remains unpaid.
    • BlackSuit threat actors utilize Phishing emails as one of the most successful gateway for initial access.
    • Once in a victim's networks, BlackSuit hackers disable antivirus software and extract all data they want. They then proceed to deploy their ransomware, culminating in the encryption of the systems.
    • Ransom demands normally range from about $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total with the largest ransom demand was $60 million.
    • BlackSuit actors have shown a readiness to negotiate the amount of ransom. The ransom cost is not included in the initial ransom note but necessitate direct engagement with the threat actor through a .onion URL (accessible via the Tor browser) provided post-encryption.
    • BlackSuit publishes victim data on a leak site when payment is not received.

        How They Do It

        Phishing Email: Cybercriminals may spread BlackSuit ransomware via email attachments containing infected links or macros. Opening these attachments or enabling macros can unknowingly activate the ransomware on their device.

        Torrent Websites: Torrent websites are a common source for BlackSuit ransomware to infiltrate torrent files, widely used for file sharing via peer-to-peer networks. By downloading and opening these compromised torrent files, users risk infecting their systems with ransomware.

        Malicious Ads/Malvertising: Malicious advertisements, commonly referred to as malvertising, serve as a sneaky vehicle for spreading the dangerous BlackSuit ransomware. Those unfortunate enough to click on these ads risk being directed to malicious websites that can stealthily infect their systems with ransomware.

        Network Vulnerabilities:  Three key areas that need special attention are Remote Desktop Protocol (RDP), Virtual Private Network (VPN), and firewall vulnerabilities. These vulnerabilities can leave systems and sensitive data exposed to cyber threats if not properly secured. Stay ahead of potential breaches by proactively addressing and strengthening these areas of vulnerability within your network infrastructure. 

        Trojans: Trojans serve as the gateway for BlackSuit ransomware, acting as malicious programs capable of downloading and installing a variety of malware, ransomware included. These devious threats can infiltrate systems through phishing emails, deceptive software updates, or compromised websites.

        Target Countries

        • These Russian-speaking threat actors have targeted the following countries: The United States, Canada, Brazil, and the United Kingdom.
        • Both Royal and Conti are known to exclude ex-Soviet or Commonwealth of Independent States (CIS) countries from being targeted in attacks.
        • Continued monitoring of this group over the next year will likely demonstrate more about their motivations and specific targeting preferences.

        Targets Industries:

        • BlackSuit ransomware attacks have targets several industries including manufacturing, retail, software developers, and critical infrastructure sectorsincluding, commercial facilities, healthcare and public health, government sectors, education, and critical manufacturing.
        • Software developerCDK Global that provides software to car dealerships to process sales and other transactions was compromised and disrupted operations at auto dealerships across the U.S. This tactic being a perfect example the latest type of cyberattacks where ransom-seeking hackers target major companies by compromising their behind-the-scenes software suppliers. 
        • Octapharma, a leading blood plasma provider was attacked by BlackSuit in April 2024 by exploiting a vulnerability in their VMWare system which forced the closure of more than 190 plasma donation centers spread across 35 states in the U.S. This attack not only disrupted the manufacturing of plasma but also caused significant delays in delivering life-saving plasma to hospitals in both the U.S. and EU. The cybercriminals from BlackSuit managed to access and steal sensitive donor information, including protected health information (PHI), during the breach.
        • In 2024, South Carolina's Kershaw County School District became the first educational organization to fall victim to the BlackSuit threat actors. The district educates over 11,000 students from kindergarten through 12th grade across 19 schools, including nine elementary schools, and employs more than 1,300 staff members. On January 3rd, BlackSuit claimed on their victim leak site to have stolen 17GB of files from the KCSD network.
        • Another educational ransomware victim of BlackSuit is the Henry County School system in Georgia leaving the entire district offline for several days and the compromise of sensitive data of over 40,000 students and thousands of staff members.

        Mitigations and Future Attacks

        Cybersecurity professionals are advised to review the updated advisory and implement the suggested measures. Check out #StopRansomware for extra tips on protecting, detecting, and responding to ransomware. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more details on CPGs and additional baseline protections.

        CISA encourages software manufacturers to up their game to protect their clients' cybersecurity by implementing secure by design strategies. For additional details on secure by design, refer to CISA’s Secure by Design webpage and guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.

        If your organization is in the cross-hairs of BlackSuit and need to relook your cybersecurity posture, the cybersecurity team Spry Squared is standing by.