FBI and CISA Warn of BlackSuit Ransomware That Demands Up to $500 Million
The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million.
That’s according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
“BlackSuit actors have exhibited a willingness to negotiate payment amounts,” the agencies said. “Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption.”
Attacks involving ransomware have targeted several critical infrastructure sectors spanning commercial facilities, healthcare and public health, government facilities, and critical manufacturing.
An evolution of the Royal ransomware, it leverages the initial access obtained via phishing emails to disarm antivirus software and exfiltrate sensitive data before ultimately deploying the ransomware and encrypting the systems.
Other common infection pathways include the use of Remote Desktop Protocol (RDP), exploitation of vulnerable internet-facing applications, and access purchased via initial access brokers (IABs).
BlackSuit actors are known to use legitimate remote monitoring and management (RMM) software and tools like SystemBC and GootLoader malware to maintain persistence in victim networks.
“BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks,” the agencies noted. “The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes.”
CISA and FBI have warned of an uptick in cases where victims receive telephonic or email communications from BlackSuit actors regarding the compromise and ransom, a tactic that’s increasingly being adopted by ransomware gangs to ramp up pressure.
“In recent years, threat actors appear to be increasingly interested in not merely threatening organizations directly, but also secondary victims,” cybersecurity firm Sophos said in a report published this week. “For instance, as reported in January 2024, attackers threatened to ‘swat’ patients of a cancer hospital, and have sent threatening text messages to a CEO’s spouse.”
That’s not all. Threat actors have also claimed to assess stolen data for evidence of illegal activity, regulatory non-compliance, and financial discrepancies, even going to the extent of stating that an employee at a compromised organization had been searching for child sexual abuse material by posting their web browser history.
Such aggressive methods can not only be used as further leverage to coerce their targets into paying up, they also inflict reputational damage by criticizing them as unethical or negligent.
The development comes amid the emergence of new ransomware families like Lynx, OceanSpy, Radar, Zilla (a Crysis/Dharma ransomware variant), and Zola (a Proton ransomware variant) in the wild, even as existing ransomware groups are constantly evolving their modus operandi by incorporating new tools into their arsenal.
A case example is Hunters International, which has been observed using a new C#-based malware called SharpRhino as an initial infection vector and a remote access trojan (RAT). A variant of the ThunderShell malware family, it’s delivered through a typosquatting domain impersonating the popular network administration tool Angry IP Scanner.
It’s worth pointing out that malvertising campaigns have been spotted delivering the malware as recently as January 2024, per eSentire. The open-source RAT is also called Parcel RAT and SMOKEDHAM.
“On execution, it establishes persistence and provides the attacker with remote access to the device, which is then utilized to progress the attack,” Quorum Cyber researcher Michael Forret said. “Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption.”
Hunters International is assessed to be a rebrand of the now-defunct Hive ransomware group. First detected in October 2023, it has claimed responsibility for 134 attacks in the first seven months of 2024.