The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

The BlackSuit ransomware group, a successor to the infamous Royal ransomware, has rapidly established itself as a prominent cyber threat since its emergence in mid-2023. Leveraging advanced tactics, techniques, and procedures (TTPs), BlackSuit employs a multifaceted approach that includes phishing, RDP exploitation, and double extortion to target high-value organizations worldwide. With over $500 million in ransom demands and attacks on industries ranging from education to automotive, BlackSuit showcases evolving ransomware capabilities.

This analysis explores the origins, major incidents, and sophisticated TTPs of BlackSuit, offering insights into its operational strategies and critical defense mechanisms to mitigate its impact effectively.

Origins and Affiliations of the BlackSuite (a.k.a Royal Ransomware) Threat Actor

The BlackSuit ransomware operation emerged as an evolution of the Royal ransomware group, which was active from September 2022 through June 2023. While maintaining significant code similarities with its predecessor, BlackSuit has demonstrated enhanced capabilities and a more aggressive operational tempo. The group has extorted over $500 million in total ransom demands, with individual demands ranging from $1 million to a staggering $60 million.

BlackSuit's sophisticated attack chain leverages multiple initial access vectors, including phishing campaigns, RDP exploitation, public-facing application vulnerabilities, and partnerships with initial access brokers. The group is notable for its double-extortion tactics and the use of partial encryption techniques to evade detection. Their infrastructure typically routes initial exfiltration through U.S.-based IP addresses before moving data to their command and control servers.

Notable Cyber Incidents & Victimology of BlackSuit Ransomware Group

Below are some significant incidents attributed to BlackSuite, showcasing their methodologies and the impacts of their attacks.

Incident 1: Kadokawa and Niconico Cyberattack (June 2024)

Between June 8 and August 5, 2024, BlackSuit launched a ransomware attack on Kadokawa Corporation and its subsidiary, Niconico, a popular Japanese video-sharing platform. The attack led to the leak of personal information from 254,241 individuals, including sensitive data from the Kadokawa Dwango Educational Institute. The attackers claimed to have stolen 1.5 terabytes of data, which included business partner and user details. They threatened to release the stolen data unless a ransom was paid by July.

The attack caused significant service disruptions, including the cancellation of scheduled programming on Niconico. In response, Kadokawa reported the incident to authorities and took immediate action to contain the breach, including physically disconnecting affected servers. Services were gradually restored, with Niconico resuming normal operations on August 5, 2024.

Incident 2: CDK Global, Disrupting 15,000 North American Dealerships

In June 2024, BlackSuit targeted CDK Global, disrupting operations at over 15,000 North American car dealerships. The ransomware attack led to significant IT outages, affecting critical systems like sales, service, and inventory management. While the exact attack vector remains unclear, ransomware groups like BlackSuit typically exploit vulnerabilities, phishing, or RDP brute-force attacks.

Once inside, they deploy ransomware to encrypt systems and data. CDK Global responded by shutting down affected systems and negotiating with BlackSuit to avoid data leaks. The company paid $25 million in Bitcoin to regain control of encrypted systems. By July 4, most dealers were operational again. This incident highlighted the importance of strong cybersecurity practices, including regular backups and timely vulnerability patches, to protect against ransomware attacks.

Analyzing BlackSuite's Advanced Tactics, Techniques, and Procedures (TTPs)

This section provides a comprehensive analysis of these TTPs, offering insights into how BlackSuite Ransomware operates and the tools they employ.

Initial Access - ATT&CK TA0001

Phishing: Spearphishing Attachment - MITRE T1566.001

The group employs various methods to gain initial access to victim networks, with phishing emails being among the most successful vectors. These emails often contain malicious attachments or links that, when opened, unknowingly install malware delivering the ransomware payload.

Remote Services: Remote Desktop Protocol - MITRE T1021.001

Another common attack vector utilized by BlackSuit actors is the exploitation of Remote Desktop Protocol (RDP). They may conduct brute-force attacks on RDP accounts or exploit vulnerabilities in public-facing applications to gain unauthorized access. Once inside the network, they often use RDP for lateral movement, deploying tools like Cobalt Strike beacons and engaging in credential harvesting techniques to escalate privileges and propagate the ransomware.

Execution - ATT&CK TA0002

System Services: Service Execution (MITRE T1569.002 & Cobalt Strike)

The adversary leveraged Cobalt Strike as their primary attack tool, specifically utilizing its built-in PsExec-like capabilities. Through the psexec and psexec_psh functions, the tool enables remote process execution by uploading binaries and creating Windows services on target systems.

Windows System logs provided evidence of this technique, documenting the creation of these attack-related services on compromised machines. This activity was observed and documented by security researchers during their investigation [1]:

Service Name: 61185c1
Service File Name: \ADMIN3\61185c1.exe
Service Type: user mode service
Service Start Type: demand start Service Account: LocalSystem

The evidence shows a Windows service installation with the name "61185c1", executed through "\ADMIN3\61185c1.exe". This service was configured as a user mode service set to start on demand, running under the LocalSystem account. As stated in the context, this is a documented instance where PsExec-like functionality in Cobalt Strike was used to execute processes remotely by uploading a binary and creating a Windows service on the target system.

Command and Scripting Interpreter: PowerShell - MITRE T1059.001

The BlackSuit ransomware group also utilizes PowerShell scripting as part of its attack chain, specifically leveraging the powershell.exe interpreter to execute commands in a hidden and minimized window. This method helps avoid detection by security monitoring tools.

An example of such a command is:

Service Name: 375ae5c
Service Start Type:demand start
%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand

%COMSPEC% /b /c: Executes the command in a hidden window using the system's default command interpreter (usually cmd.exe).
start /b /min: Runs the command in the background with minimized visibility.
powershell -nop -w hidden -encodedcommand: Launches PowerShell with specific options (also a proof for an obfuscated command usage).

Persistence - ATT&CK TA0003

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (MITRE T1547.001)

BlackSuite ransomware established persistence by creating a registry Run key that executes automatically when a user logs in.

Let's break down the specific evidence provided by the Sysmon Event ID 13 (Registry value set):

The registry key was named "socks5" and was placed in "HKU\S-1-5-21-[redacted]\Software\Microsoft\Windows\CurrentVersion\Run", which is a common location for persistence as Windows automatically executes programs listed in this registry path during user logon.

The registry value was configured to execute "socks32.exe" - identified as a SystemBC backdoor - through PowerShell using specific parameters to hide its execution.

RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
Image: C:[redacted]\socks32.exe
TargetObject: HKU\S-1-5-21-[redacted]\Software\Microsoft\Windows\CurrentVersion\Run\socks5
Details: powershell.exe -windowstyle hidden -Command "& 'C:[redacted]\socks32.exe'"

The command "powershell.exe -windowstyle hidden" ensures the PowerShell window remains invisible to users, making the malicious activity stealthier.

Defense Evasion - ATT&CK TA0005

Modify Registry - MITRE T1112

The attackers modified the registry to enable Remote Desktop Protocol (RDP) access to a file server by setting the registry key given below to allow terminal server connections.

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v DenyTSConnections /t REG_DWORD /d 0 /f

This modification helped them maintain remote access while evading detection.

Process Injection - MITRE T1055

The extensive use of Cobalt Strike beacons suggested that BlackSuite attackers utilized process injection techniques to hide malicious activities within legitimate processes. This method allowed them to evade detection by security tools monitoring for unusual or unauthorized processes.

Credential Access - ATT&CK TA0006

Steal or Forge Kerberos Tickets: AS-REP Roasting - MITRE T1208

BlackSuite ransomware holders performed AS-REP roasting using Rubeus on the beachhead host, targeting a domain controller. This technique involves requesting Kerberos authentication tickets (TGTs) with "Pre-Authentication Type" set to 0, which does not require a password. The results were written to a file “C:\Users\Public\APPDATA\_asp.txt”, indicating successful execution of this technique.

Steal or Forge Kerberos Tickets: Kerberoasting - MITRE T1558.001

The threat actor executed a Kerberoasting attack using Rubeus, which involved requesting service tickets for accounts with weak encryption (specifically RC4).

This allowed them to capture these tickets and attempt to crack them offline to retrieve plaintext passwords.

OS Credential Dumping: LSASS Memory - MITRE T1003.001

BlackSuite attackers accessed LSASS memory on a workstation to extract credentials. This was done by injecting Cobalt Strike into the mstsc.exe process and using specific access requests to read memory.

The activity was logged as Sysmon event ID 10, indicating that LSASS was accessed to obtain sensitive credential information.

Discovery - ATT&CK TA0007

Known Royal Ransomware Discovery Techniques

The Royal Ransomware’s network scanning and discovery process align with several MITRE ATT&CK techniques under the Discovery tactic, which focuses on techniques that attackers use to gather information about their environment.

The specific techniques can be itemized as the following [2].

Network Service Scanning (T1046): Royal Ransomware scans the network for IP addresses and services by using the GetIpAddrTable and WSASocketW APIs. This technique helps attackers identify machines on the network to target.

Network Share Discovery (T1135): The ransomware enumerates network shares using the NetShareEnum API to identify shared resources. It specifically avoids shared directories such as “\<IP_Address>\ADMIN$” and “\<IP_Address>\IPC$”, which are often used for administrative purposes.

Connection Proxy (T1090.002): Royal Ransomware establishes a socket and uses CreateIoCompletionPort and ConnectEx to connect to remote systems, leveraging networking protocols like SMB to establish connections.

These techniques help Royal Ransomware identify available targets and avoid certain resources, facilitating its lateral movement and subsequent data encryption.

Known BlackSuite Ransomware Discovery Techniques

System Information Discovery (T1082): In one case, approximately six hours after gaining initial access, the threat actor executed the command systeminfo to collect details about the local system.

Remote System Discovery (T1018): This was followed by the command nltest /dclist, which identified the domain controllers within the environment.

Account Discovery: Domain Account (T1087.002): After identifying the domain controllers, the attacker loaded Sharphound into memory via Cobalt Strike. Sharphound is a tool designed for Active Directory enumeration, allowing attackers to gather extensive information about user accounts, group memberships, and relationships within the network.

In one case, the output from Sharphound was stored in the “C:\Windows\Temp\Dogi\” directory.

Sharphound performed numerous LDAP queries to enumerate Active Directory objects, including local group memberships and logged-on users. This involved querying the Windows Security Accounts Manager (SAM) database remotely through various communication pipes (e.g., samr pipe).

"(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913))", "(BuildString("(primarygroupid=*)"

The specific queries utilized by Sharphound included complex filters that targeted different account types within Active Directory.

The threat actor executed Sharphound multiple times during the intrusion, including runs on a domain controller. Each execution produced output files that were saved in different system directories, further indicating a methodical approach to gathering intelligence across various systems within the network

Lateral Movement - ATT&CK 0008

Use Alternate Authentication Material: Pass-the-Hash - MITRE T1550.002

The threat actor utilized stolen NTLM hashes to authenticate across systems without needing plaintext credentials.

Remote Services: SMB/Windows Admin ShareS - MITRE 1021.002

Cobalt Strike was used to distribute SMB and HTTPS beacons across the network by leveraging ADMIN$ shares. The hidden SMB share (C$) was used to deploy the ransomware executable to critical endpoints [1].

Indicators:

System Event ID 5145 ("A network share object was checked") helped trace beacon movement.
Configuration and logs of Cobalt Strike's SMB beacons provided further evidence.

Remote Services: Remote Desktop Protocol - MITRE T1021.001

RDP was used to access specific systems, such as a file server and a backup server, for further reconnaissance and discovery activities.

Indicators:

Windows Security Event ID 4624 with Logon Type 10 ("RemoteInteractive") logged RDP activity.
Event IDs 4778 (session reconnect) and 4779 (session disconnect) linked sessions to specific hostnames used by the threat actor.

Protocol Tunneling - MITRE ID: T1572

SystemBC was used to establish tunnels that facilitated the movement of malicious payloads and communications within the compromised network.

Collection - ATT&CK 0009

Archive Collected Data: Archive via Utility - MITRE T1560.001

The BlackSuite ransomware holders performed data collection and exfiltration preparation using a two-step process:

First, they executed a PowerShell script named "Get-DataInfo.ps1" with the remotesigned execution policy parameter, which collected sensitive data from the system. The script is executed as the parent process (ParentCommandLine).

Then, they used 7-Zip (7z.exe) with specific command line parameters to compress the collected data:

The command "7z.exe a -tzip .\result.zip -mx=9 -aoa \result*" creates a new ZIP archive
The "-mx=9" flag specifies maximum compression level
The "-aoa" (add overwrite all) parameter ensures existing archives are overwritten without prompting
The target was all files in the "\result*" directory, suggesting systematic data collection

This activity pattern aligns with MITRE ATT&CK technique T1560.001.The threat actor used a legitimate compression utility (7-Zip) to prepare collected data for potential exfiltration, making it more efficient to transfer and potentially harder to detect due to the use of a common system administration tool.

Impact - ATT&CK TA0040

Data Encrypted for Impact - MITRE T1486

BlackSuit uses a partial encryption technique, enabling the actor to select a specific percentage of data in a file to encrypt. This method helps evade detection by lowering the encryption percentage for larger files and enhances the speed of ransomware execution.

During execution, BlackSuit (originally Royal ransomware) can take three command-line arguments:

-path [optional]: The path to be encrypted
-ep [optional]: The percentage of the file to be encrypted
-id: A unique 32-digit identifier

The encryption process is determined by these arguments, affecting factors like speed, file corruption, and detection risk. If the -id argument is missing, the ransomware will not run.

// Command line argument processing for BlackSuit ransomware
CommandLineW = GetCommandLineW();
ptr_cmdline = CommandLineToArgvW(CommandLineW, &pNumArgs);
var_size_of_id = 0x32;
v7 = 0i64;
v8 = 0;
v20 = 0;
*MultiByteStr = 0i64;

// Process command line arguments
for (i = 0i64; v8 < pNumArgs; ++ptr_cmdline) {
if (lstrcmpW(*ptr_cmdline, L"-path")) { // Check for encryption path
if (lstrcmpW(*ptr_cmdline, L"-id")) { // Check for 32-digit identifier
if (!lstrcmpW(*ptr_cmdline, L"-ep")) { // Check for encryption percentage
++ptr_cmdline;
++v8;
var_size_of_id = unknown_libname_21();

// Validate ID length is 32 digits
if ((var_size_of_id - 1) > 99) {
var_size_of_id = 0x32;
}
}
}
}
}

Inhibit System Recovery - MITRE T1409 MITRE

After validating the command line, BlackSuit (formerly Royal ransomware) attempts to delete shadow copy backups using the vssadmin.exe utility with the command: delete shadows /all /quiet.

The process is executed with the following code snippet:

// Command to delete shadow copies
wsprintfW(CommandLine, L" delete shadows /all /quiet");
StartupInfo.cb = 104;
memset(&StartupInfo.cb + 1, 0, 100);
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
// Create process to execute vssadmin
if (CreateProcessW(
L"C:\\Windows\\System32\\vssadmin.exe",
CommandLine,
0i64,
0i64,
0,
0,
0i64,
0i64,
&StartupInfo,
&ProcessInformation)
)

This code runs vssadmin.exe to disable system recovery options, making it more difficult for victims to recover their data.

How Does Picus Help Against BlackSuite Ransomware Threat Group?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.

Picus Threat Library includes the following threats for BlackSuite Ransomware.

Threat ID	Threat Name	Attack Module
52587	Royal Ransomware Download Threat	Network Infiltration
75964	Royal Ransomware Email Threat	E-mail Infiltration

Defense Strategies Against the BlackSuite Ransomware Group

Regular Backups and Backup Isolation

Frequently back up critical data and ensure backups are stored securely, disconnected from the primary network.
Test backups regularly to confirm data integrity and restoration processes.

Network Monitoring and Anomaly Detection

Implement advanced network monitoring tools to detect unusual activity, such as lateral movement or data exfiltration attempts.
Use intrusion detection systems (IDS) or security information and event management (SIEM) solutions for real-time analysis.

Timely Patching and Software Updates

Regularly update all software, operating systems, and firmware to close vulnerabilities that ransomware exploits.
Prioritize critical patches, especially those addressing remote code execution (RCE) flaws.

Secure RDP and Multi-Factor Authentication (MFA)

Restrict Remote Desktop Protocol (RDP) access by disabling unused ports and using VPNs for remote access.
Implement MFA for all accounts to prevent unauthorized access, even if credentials are compromised.

Employee Training and Awareness

Conduct regular phishing simulations and cybersecurity training to help employees recognize and avoid ransomware delivery methods (e.g., phishing emails).
Emphasize reporting suspicious activity promptly.

These measures, when combined, significantly reduce the likelihood of a successful ransomware attack and limit the damage if one occurs.

Conclusion

The evolution of the Royal ransomware group into BlackSuit represents a significant escalation in cybercrime sophistication. Leveraging advanced tactics such as double extortion, partial encryption, and sophisticated lateral movement techniques, the group has demonstrated a heightened capability to inflict financial and operational harm. Notable attacks on Kadokawa Corporation, CDK Global, and other high-profile organizations underscore the wide-reaching impact of their operations, including data theft, service disruptions, and ransom payments.

BlackSuit's reliance on tools like Cobalt Strike, PowerShell scripting, and credential-dumping techniques highlights the importance of robust defenses. Effective countermeasures include regular data backups, isolated storage of critical files, and timely patching to mitigate vulnerabilities. Advanced monitoring solutions, secure remote access protocols, and comprehensive employee training can further enhance organizational resilience against these attacks.

As ransomware continues to evolve, organizations must adopt a proactive approach to cybersecurity. This includes simulating advanced threat scenarios and validating security controls, as platforms like Picus enable. By leveraging these strategies, businesses can not only detect and respond to ransomware threats but also minimize the likelihood of becoming a victim.

The BlackSuit ransomware group's trajectory signals a persistent and evolving threat, demanding vigilance, innovation, and collaboration to mitigate its impact and protect critical digital assets.