The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies.
The FBI and CISA initially alerted about the Royal ransomware group in March 2023, with an update in November 2023 that includes indicators of compromise (IoCs) and new tactics, techniques, and procedures (TTPs). The most recent update reveals a rebranding of the ransomware group. Members of this group were previously identified to have involvement in the Conti ransomware operation, which is an active group that disbanded in the summer of 2022, subsequently splitting into smaller groups.
The appearance of Royal Ransomware first began in September 2022, but its members are thought to have been from the Conti group earlier that year, initially operating as Zeon. The group started by using third-party encryptors before creating their own in 2022, at which point they became known as Royal. The group quickly became one of the most active ransomware operations, even surpassing LockBit in November 2022, when they listed 43 victims on their data leak site. The Health Sector Cybersecurity Coordination Center (HC3) released an analyst note in December 2022 warning the healthcare and public health (HPH) sector after several attacks. Some victims of the Royal ransomware group include Revenetics, OctaPharma, and Morris Hospital & Healthcare Centers.
Royal continued to be active for two years until June 2023 when it attacked the City of Dallas, TX. After this ransomware attack, the group used an encryptor known as BlackSuit. The FBI and CISA are sure that BlackSuit is Royal because of a few coding resemblances between the two. Additionally, Royal ransomware attacks ceased around the time that BlackSuit appeared. In November 2023, HC3 released its first alert concerning the BlackSuit ransomware group.
BlackSuit is a ransomware group that employs double extortion tactics. It steals sensitive information prior to files encryption and issues a ransom demand so as not to expose the stolen data and to give the decryption keys. Aside from the rebrand, BlackSuit also introduced several enhancements over its predecessor. The group uses multiple methods for initial access, including exploiting vulnerabilities in public-facing programs, Remote Desktop Protocol (RDP), and working with initial access brokers. However, phishing emails remain its most effective method of gaining initial access.
Once initial access is achieved, the group deactivates antivirus software and uses RDP, SMB, and PsExec for lateral movement. They maintain persistence through legitimate remote monitoring and management software programs, and SystemBC and Gootloader malware to deploy additional tools. The group utilizes SharpShares and SoftPerfect NetWorx for network enumeration, while Mimikatz and Nirsoft tools are employed for harvesting credentials. They use PowerTool and GMER to terminate system processes. The group deploys penetration testing applications like Cobalt Strike and various malware tools, such as Ursnif/Gozi, for data collection and extraction.
In just a year of operation, BlackSuit has already earned over $500 million in ransom, with typical ransom demands ranging from $1 million to $10 million. The highest single ransom demand issued by the group is $60 million. Like other ransomware groups, victims first contact BlackSuit to learn the amount required for decryption keys and to stop the exposure of their stolen information. Although the group issues large ransom demands, it seems inclined to make a deal and agree to lower payments. Nonetheless, if the ransom is not paid, the stolen data will be published. It’s important to note that even if a ransom is paid, it doesn’t guarantee that the stolen information will be erased or that the decryption keys will work.
In their latest alert, the FBI and CISA have provided TTPs and IoCs linked to BlackSuit, together with a listing of suggested mitigations. Considering the group’s focus on healthcare organizations, the alert is helpful to network defenders. All recommended mitigations should be implemented especially by entities seeking HIPAA compliance.