The BlackSuit ransomware group, a successor to the infamous Royal ransomware, has rapidly established itself as a prominent cyber threat since its emergence in mid-2023. Leveraging advanced tactics, techniques, and procedures (TTPs), BlackSuit employs a multifaceted approach that includes phishing, RDP exploitation, and double extortion to target high-value organizations worldwide. With over $500 million in ransom demands and attacks on industries ranging from education to automotive, BlackSuit showcases evolving ransomware capabilities.
This analysis explores the origins, major incidents, and sophisticated TTPs of BlackSuit, offering insights into its operational strategies and critical defense mechanisms to mitigate its impact effectively.
The BlackSuit ransomware operation emerged as an evolution of the Royal ransomware group, which was active from September 2022 through June 2023. While maintaining significant code similarities with its predecessor, BlackSuit has demonstrated enhanced capabilities and a more aggressive operational tempo. The group has extorted over $500 million in total ransom demands, with individual demands ranging from $1 million to a staggering $60 million.
BlackSuit's sophisticated attack chain leverages multiple initial access vectors, including phishing campaigns, RDP exploitation, public-facing application vulnerabilities, and partnerships with initial access brokers. The group is notable for its double-extortion tactics and the use of partial encryption techniques to evade detection. Their infrastructure typically routes initial exfiltration through U.S.-based IP addresses before moving data to their command and control servers.
Below are some significant incidents attributed to BlackSuite, showcasing their methodologies and the impacts of their attacks.
Between June 8 and August 5, 2024, BlackSuit launched a ransomware attack on Kadokawa Corporation and its subsidiary, Niconico, a popular Japanese video-sharing platform. The attack led to the leak of personal information from 254,241 individuals, including sensitive data from the Kadokawa Dwango Educational Institute. The attackers claimed to have stolen 1.5 terabytes of data, which included business partner and user details. They threatened to release the stolen data unless a ransom was paid by July.
The attack caused significant service disruptions, including the cancellation of scheduled programming on Niconico. In response, Kadokawa reported the incident to authorities and took immediate action to contain the breach, including physically disconnecting affected servers. Services were gradually restored, with Niconico resuming normal operations on August 5, 2024.
In June 2024, BlackSuit targeted CDK Global, disrupting operations at over 15,000 North American car dealerships. The ransomware attack led to significant IT outages, affecting critical systems like sales, service, and inventory management. While the exact attack vector remains unclear, ransomware groups like BlackSuit typically exploit vulnerabilities, phishing, or RDP brute-force attacks.
Once inside, they deploy ransomware to encrypt systems and data. CDK Global responded by shutting down affected systems and negotiating with BlackSuit to avoid data leaks. The company paid $25 million in Bitcoin to regain control of encrypted systems. By July 4, most dealers were operational again. This incident highlighted the importance of strong cybersecurity practices, including regular backups and timely vulnerability patches, to protect against ransomware attacks.
This section provides a comprehensive analysis of these TTPs, offering insights into how BlackSuite Ransomware operates and the tools they employ.
The group employs various methods to gain initial access to victim networks, with phishing emails being among the most successful vectors. These emails often contain malicious attachments or links that, when opened, unknowingly install malware delivering the ransomware payload.
Another common attack vector utilized by BlackSuit actors is the exploitation of Remote Desktop Protocol (RDP). They may conduct brute-force attacks on RDP accounts or exploit vulnerabilities in public-facing applications to gain unauthorized access. Once inside the network, they often use RDP for lateral movement, deploying tools like Cobalt Strike beacons and engaging in credential harvesting techniques to escalate privileges and propagate the ransomware.
The adversary leveraged Cobalt Strike as their primary attack tool, specifically utilizing its built-in PsExec-like capabilities. Through the psexec and psexec_psh functions, the tool enables remote process execution by uploading binaries and creating Windows services on target systems.
Windows System logs provided evidence of this technique, documenting the creation of these attack-related services on compromised machines. This activity was observed and documented by security researchers during their investigation [1]:
Service Name: 61185c1 |
The evidence shows a Windows service installation with the name "61185c1", executed through "\ADMIN3\61185c1.exe". This service was configured as a user mode service set to start on demand, running under the LocalSystem account. As stated in the context, this is a documented instance where PsExec-like functionality in Cobalt Strike was used to execute processes remotely by uploading a binary and creating a Windows service on the target system.
The BlackSuit ransomware group also utilizes PowerShell scripting as part of its attack chain, specifically leveraging the powershell.exe interpreter to execute commands in a hidden and minimized window. This method helps avoid detection by security monitoring tools.
An example of such a command is:
Service Name: 375ae5c |
%COMSPEC% /b /c: Executes the command in a hidden window using the system's default command interpreter (usually cmd.exe).
start /b /min: Runs the command in the background with minimized visibility.
powershell -nop -w hidden -encodedcommand: Launches PowerShell with specific options (also a proof for an obfuscated command usage).
BlackSuite ransomware established persistence by creating a registry Run key that executes automatically when a user logs in.
Let's break down the specific evidence provided by the Sysmon Event ID 13 (Registry value set):
The registry key was named "socks5" and was placed in "HKU\S-1-5-21-[redacted]\Software\Microsoft\Windows\CurrentVersion\Run", which is a common location for persistence as Windows automatically executes programs listed in this registry path during user logon.
The registry value was configured to execute "socks32.exe" - identified as a SystemBC backdoor - through PowerShell using specific parameters to hide its execution.
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder |
The command "powershell.exe -windowstyle hidden" ensures the PowerShell window remains invisible to users, making the malicious activity stealthier.
The attackers modified the registry to enable Remote Desktop Protocol (RDP) access to a file server by setting the registry key given below to allow terminal server connections.
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v DenyTSConnections /t REG_DWORD /d 0 /f |
This modification helped them maintain remote access while evading detection.
The extensive use of Cobalt Strike beacons suggested that BlackSuite attackers utilized process injection techniques to hide malicious activities within legitimate processes. This method allowed them to evade detection by security tools monitoring for unusual or unauthorized processes.
BlackSuite ransomware holders performed AS-REP roasting using Rubeus on the beachhead host, targeting a domain controller. This technique involves requesting Kerberos authentication tickets (TGTs) with "Pre-Authentication Type" set to 0, which does not require a password. The results were written to a file “C:\Users\Public\APPDATA\_asp.txt”, indicating successful execution of this technique.
The threat actor executed a Kerberoasting attack using Rubeus, which involved requesting service tickets for accounts with weak encryption (specifically RC4).
This allowed them to capture these tickets and attempt to crack them offline to retrieve plaintext passwords.
BlackSuite attackers accessed LSASS memory on a workstation to extract credentials. This was done by injecting Cobalt Strike into the mstsc.exe process and using specific access requests to read memory.
The activity was logged as Sysmon event ID 10, indicating that LSASS was accessed to obtain sensitive credential information.
The Royal Ransomware’s network scanning and discovery process align with several MITRE ATT&CK techniques under the Discovery tactic, which focuses on techniques that attackers use to gather information about their environment.
The specific techniques can be itemized as the following [2].
Network Service Scanning (T1046): Royal Ransomware scans the network for IP addresses and services by using the GetIpAddrTable and WSASocketW APIs. This technique helps attackers identify machines on the network to target.
Network Share Discovery (T1135): The ransomware enumerates network shares using the NetShareEnum API to identify shared resources. It specifically avoids shared directories such as “\<IP_Address>\ADMIN$” and “\<IP_Address>\IPC$”, which are often used for administrative purposes.
Connection Proxy (T1090.002): Royal Ransomware establishes a socket and uses CreateIoCompletionPort and ConnectEx to connect to remote systems, leveraging networking protocols like SMB to establish connections.
These techniques help Royal Ransomware identify available targets and avoid certain resources, facilitating its lateral movement and subsequent data encryption.
System Information Discovery (T1082): In one case, approximately six hours after gaining initial access, the threat actor executed the command systeminfo to collect details about the local system.
Remote System Discovery (T1018): This was followed by the command nltest /dclist, which identified the domain controllers within the environment.
Account Discovery: Domain Account (T1087.002): After identifying the domain controllers, the attacker loaded Sharphound into memory via Cobalt Strike. Sharphound is a tool designed for Active Directory enumeration, allowing attackers to gather extensive information about user accounts, group memberships, and relationships within the network.
In one case, the output from Sharphound was stored in the “C:\Windows\Temp\Dogi\” directory.
Sharphound performed numerous LDAP queries to enumerate Active Directory objects, including local group memberships and logged-on users. This involved querying the Windows Security Accounts Manager (SAM) database remotely through various communication pipes (e.g., samr pipe).
"(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913))", "(BuildString("(primarygroupid=*)" |
The specific queries utilized by Sharphound included complex filters that targeted different account types within Active Directory.
The threat actor executed Sharphound multiple times during the intrusion, including runs on a domain controller. Each execution produced output files that were saved in different system directories, further indicating a methodical approach to gathering intelligence across various systems within the network
The threat actor utilized stolen NTLM hashes to authenticate across systems without needing plaintext credentials.
Cobalt Strike was used to distribute SMB and HTTPS beacons across the network by leveraging ADMIN$ shares. The hidden SMB share (C$) was used to deploy the ransomware executable to critical endpoints [1].
Indicators:
System Event ID 5145 ("A network share object was checked") helped trace beacon movement.
Configuration and logs of Cobalt Strike's SMB beacons provided further evidence.
RDP was used to access specific systems, such as a file server and a backup server, for further reconnaissance and discovery activities.
Indicators:
Windows Security Event ID 4624 with Logon Type 10 ("RemoteInteractive") logged RDP activity.
Event IDs 4778 (session reconnect) and 4779 (session disconnect) linked sessions to specific hostnames used by the threat actor.
SystemBC was used to establish tunnels that facilitated the movement of malicious payloads and communications within the compromised network.
The BlackSuite ransomware holders performed data collection and exfiltration preparation using a two-step process:
First, they executed a PowerShell script named "Get-DataInfo.ps1" with the remotesigned execution policy parameter, which collected sensitive data from the system. The script is executed as the parent process (ParentCommandLine).
Then, they used 7-Zip (7z.exe) with specific command line parameters to compress the collected data:
The command "7z.exe a -tzip .\result.zip -mx=9 -aoa \result*" creates a new ZIP archive
The "-mx=9" flag specifies maximum compression level
The "-aoa" (add overwrite all) parameter ensures existing archives are overwritten without prompting
The target was all files in the "\result*" directory, suggesting systematic data collection
This activity pattern aligns with MITRE ATT&CK technique T1560.001.The threat actor used a legitimate compression utility (7-Zip) to prepare collected data for potential exfiltration, making it more efficient to transfer and potentially harder to detect due to the use of a common system administration tool.
BlackSuit uses a partial encryption technique, enabling the actor to select a specific percentage of data in a file to encrypt. This method helps evade detection by lowering the encryption percentage for larger files and enhances the speed of ransomware execution.
During execution, BlackSuit (originally Royal ransomware) can take three command-line arguments:
-path [optional]: The path to be encrypted
-ep [optional]: The percentage of the file to be encrypted
-id: A unique 32-digit identifier
The encryption process is determined by these arguments, affecting factors like speed, file corruption, and detection risk. If the -id argument is missing, the ransomware will not run.
// Command line argument processing for BlackSuit ransomware |
After validating the command line, BlackSuit (formerly Royal ransomware) attempts to delete shadow copy backups using the vssadmin.exe utility with the command: delete shadows /all /quiet.
// Command to delete shadow copies |
This code runs vssadmin.exe to disable system recovery options, making it more difficult for victims to recover their data.
We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.
Picus Threat Library includes the following threats for BlackSuite Ransomware.
Threat ID |
Threat Name |
Attack Module |
52587 |
Royal Ransomware Download Threat |
Network Infiltration |
75964 |
Royal Ransomware Email Threat |
E-mail Infiltration |
Regular Backups and Backup Isolation
Network Monitoring and Anomaly Detection
Timely Patching and Software Updates
Secure RDP and Multi-Factor Authentication (MFA)
Employee Training and Awareness
These measures, when combined, significantly reduce the likelihood of a successful ransomware attack and limit the damage if one occurs.
The evolution of the Royal ransomware group into BlackSuit represents a significant escalation in cybercrime sophistication. Leveraging advanced tactics such as double extortion, partial encryption, and sophisticated lateral movement techniques, the group has demonstrated a heightened capability to inflict financial and operational harm. Notable attacks on Kadokawa Corporation, CDK Global, and other high-profile organizations underscore the wide-reaching impact of their operations, including data theft, service disruptions, and ransom payments.
BlackSuit's reliance on tools like Cobalt Strike, PowerShell scripting, and credential-dumping techniques highlights the importance of robust defenses. Effective countermeasures include regular data backups, isolated storage of critical files, and timely patching to mitigate vulnerabilities. Advanced monitoring solutions, secure remote access protocols, and comprehensive employee training can further enhance organizational resilience against these attacks.
As ransomware continues to evolve, organizations must adopt a proactive approach to cybersecurity. This includes simulating advanced threat scenarios and validating security controls, as platforms like Picus enable. By leveraging these strategies, businesses can not only detect and respond to ransomware threats but also minimize the likelihood of becoming a victim.
The BlackSuit ransomware group's trajectory signals a persistent and evolving threat, demanding vigilance, innovation, and collaboration to mitigate its impact and protect critical digital assets.
[1] “BlackSuit Ransomware,” The DFIR Report, Aug. 26, 2024. Available: https://thedfirreport.com/2024/08/26/blacksuit-ransomware/. [Accessed: Jan. 08, 2025]
[2] C. G. Soc, “Royal Rumble: Analysis of Royal Ransomware.” Available: https://www.cybereason.com/blog/royal-ransomware-analysis. [Accessed: Jan. 08, 2025]