Blog
RevealX vs. BlackSuit Ransomware
ExtraHop
August 1, 2024
BlackSuit is a nascent Eastern European ransomware group that has rapidly become a marquee player in the cybercriminal underground, particularly after the $25 million bitcoin payment it reportedly extorted from auto IT firm CDK Global. This transaction marks the third-largest ransomware payment of all time, after the $75 million toll the Dark Angels gang reportedly extracted from a Fortune 50 company earlier this year and the $40 million transfer that the Evil Corp-affiliated Phoenix group strong-armed from insurer CNA Financial in 2021.
The BlackSuit ransomware operation first emerged sometime in April or May of 2023, according to cybersecurity firm SentinelOne. SentinelOne wrote that BlackSuit is known for “significant attacks against entities in the healthcare and education sectors, along with other critical industries.” A cyber risk bulletin published by the U.S. Department of Health and Human Services’ Office of Information Security in November 2023 said that BlackSuit was likely to emerge as a “credible threat to the Healthcare and Public Health (HPH) sector.”
The HHS also noted that BlackSuit had been linked to a string of attacks targeting the “manufacturing, business technology, business retail, and government sectors spanning the United States, Canada, Brazil, and the United Kingdom.” The HHS report cites May 2023 research from cybersecurity vendor TrendMicro that noted striking similarities between code samples of BlackSuit and Royal ransomware, an offshoot of the notorious and now-defunct Conti syndicate.
Comparing these ransomware strains, TrendMicro wrote “they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.” Further analysis from TrendMicro “found that BlackSuit employs command-line arguments that have a similar function to those used by Royal.” However, “there are some differences: The strings used in the arguments are different, with BlackSuit also including additional arguments not found in Royal,” said the vendor.
BlackSuit has announced over 70 victim organizations on its Tor data leak site (DLS) to date. According to cybersecurity firm ReliaQuest, BlackSuit’s “victims are largely US-based but range in industry vertical.” BlackSuit’s targeting pattern “strongly suggests a financial motivation with a focus on critical sectors that either have smaller cybersecurity budgets or a low tolerance for downtime, thereby increasing the likelihood of a successful attack or a speedy ransom payment,” according to ReliaQuest.
In terms of victim selection criteria, the low tolerance for downtime is evident in CDK’s operating model, for example. This dynamic can be inferred from the date of the alleged ransom payment, June 21, or just three days after the firm confirmed that they had been breached. If this bitcoin ransom was indeed paid by CDK, it would mark an exceptionally rapid negotiation cycle relative to the typical cyber extortion incident.
Regardless, with consulting firm Anderson Economic Group (AEG) projecting over $1 billion in losses stemming from the two-week long outage of CDK’s dealer management system (DMS), which powers roughly 50 percent of the auto dealer market, further downtime was not a financially viable option for the victim or its customers.
ReliaQuest also noted that BlackSuit’s “pedigree, varied malware deployment methods, and advanced encryption and system recovery processes indicate” that they “are likely experienced and technically proficient.” Previous research from cyber threat intelligence firm RedSense echoes ReliaQuest’s assessment. In a 2023 report, RedSense wrote that BlackSuit has “changed the paradigm entirely.”
RedSense elaborated on BlackSuit’s operating model describing their use of “decentralized teams and servers,” enlistment of high-skilled ex-REvil and DarkSide members in their operation, and preference for Sliver malware, Brute Ratel, and Nighthawk over CS [CobaltStrike]. RedSense also noted that BlackSuit’s target selection relies more on initial access brokers (IABs) than botnets.
In July, cybersecurity firm Symantec, a subsidiary of Broadcom, flagged BlackSuit’s latest attack signature. The threat group has been disguising their locker as a Qihoo 360 antivirus installer to deceive victims, according to Symantec.
“Once installed, the malware encrypts user files and appends the .blacksuit extension. A ransom note named readme.blacksuit.txt, containing encrypted text is dropped to avoid detection, along with a communication link to the threat actor. The latest versions include new functionalities such as mandatory ID arguments and a self-deletion technique,” Symantec said.
Indicators of BlackSuit Activity
While incident responders complete their investigation into the cause of the CDK breach, BlackSuit’s historic attack signatures, along with more recent techniques it employed in an April 2024 ransomware attack, can help defenders more readily identify indicators of the group’s malicious activity.
The April ReliaQuest incident response investigation identified BlackSuit “leveraging PsExec for lateral movement, Kerberoasting, data exfiltration, and deployment of ransomware from a virtual machine,” according to the report. The report also highlighted the “continued success of straightforward” TTPs, such as “brute forcing, PsExec for lateral movement, and FTP for exfiltration.”
This investigation began after ReliaQuest detected “Kerberoasting,” an attack method that targets the Kerberos authentication process used by Microsoft Active Directory, in a customer’s IT environment. This attack chain culminated in the “encryption of critical systems and the exfiltration of sensitive data,” according to the report.
Notably and highly relevant to the CDK supply chain attack, given the always-on VPN connection that links the auto IT firm to its customers, the ReliaQuest investigation assessed a threat actor who is likely external to BlackSuit achieved initial access in the April incident by brute-forcing a misconfigured VPN. According to ReliaQuest, “in early April 2024, an unknown threat actor gained VPN access to the customer’s environment through a valid account. Though there was incomplete authentication data from the VPN, it is highly likely the credentials were obtained via a brute-force attack or an external source like a former password dump.”
ReliaQuest speculates that this actor was a third-party IAB. This breached firewall was a “non-primary VPN gateway at a disaster recovery site and was not configured to enforce MFA or certificate requirements, both of which were enforced for other firewalls, enabling the initial foothold,” according to ReliaQuest. After gaining access, the “attacker moved laterally across several Windows workstations, primarily using PsExec, a remote administration tool that was already being used within the environment,” according to ReliaQuest.
ReliaQuest then noted that “there was a three-day pause in activity after the last workstation-related event until the next significant step in the attack chain.” This delay “likely indicates that an initial access broker gained access to the target system and then sold it to the BlackSuit ransomware group—or an affiliate linked to the group—who conducted further malicious activity,” according to the report.
The Limits of EDR and the Power of the NDR in Detecting BlackSuit Ransomware
ReliaQuest noted that the impacted organization has a complex global operating footprint and has “historically struggled with asset inventory and endpoint visibility due to its large number of devices and the breadth of deployments.” The lack of robust endpoint detection and response (EDR) adoption made “tracking lateral movement during the triage phase” difficult, according to ReliaQuest. Even if the organization had a more robust EDR deployment, the threat actor could have opted to use EDR killer tools to disable agents.
This April 2024 ransomware attack underscores the importance of network visibility and the value of network-based approaches to early detection of ransomware. In many organizations, installing EDR agents on every endpoint is either impractical or impossible, particularly in organizations with large IoT deployments that can’t support EDR agents.
What’s more, network-based approaches lend themselves to detecting certain early- and midstage activities and behaviors associated with ransomware attacks, such as C2 beaconing, target enumeration, lateral movement, domain escalation, and data staging. With one network cable, with a single data feed, organizations can gain the ability to monitor their east-west network traffic, where these post-compromise activities take place.
The ExtraHop RevealX platform for network detection and response (NDR), a category leader, can detect many of the tactics, techniques, and procedures (TTPs) leveraged by BlackSuit in recent attack campaigns. In fact, the RevealX platform has offered coverage for BlackSuit’s malicious file extension and ransom note since May 10, 2023.
Kerberoasting (MITRE ATT&CK T1558)
According to ExtraHop partner CrowdStrike, “Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”). In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN.”
The “retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated with the SPN. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques,” according to CrowdStrike.
RevealX detects Kerberoasting by providing clear logs and alerts for suspicious Kerberos sign-on activity in the platform’s Active Directory dashboard. RevealX automatically detects Kerberos requests for ticket granting server (TGS) tickets (TGS_REQ) sent over the network that include indicators of a forged ticket granting ticket (TGT).
Additionally, organizations should audit their network for the use of deprecated RC4 encryption in Kerberos ticket exchanges and move towards enforcing stronger encryption standards like AES. Extrahop can identify a wide spectrum of weak encryption protocols and alert customers for their urgent remediation.
Malicious PsExec Activity
PsExec is a Windows Sysinternals utility that enables IT administrators to run commands and executable binary files on remote servers. RevealX identifies malicious PsExec activity by automatically detecting all remote procedure call (RPC) traffic in client networks.
Detecting FTP Traffic Anomalies
The File Transfer Protocol (FTP) is an unencrypted client-server network communications language that enables the transmission of files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. BlackSuit used FTP to exfiltrate more than 100GB of data during the April 2024 ransomware attack investigated by ReliaQuest.
RevealX monitors the volume of data transferred over FTP and applies machine learning to detect deviations from normal user, device, and network behavior. A sudden spike or an unusually large data transfer could indicate potential exfiltration, especially if it deviates from normal baseline activity patterns for the network (e.g., the traffic is moving at odd hours, it’s going to an unusual external IP address or to a server in a high-risk or otherwise odd location, or there’s a change in the types of files being transferred). RevealX is designed to detect these behaviors.
In addition, RevealX can inspect the types of files being transferred via FTP. Transfers involving sensitive data types (like database dumps, access files, etc.) might raise higher alerts, especially if combined with other suspicious indicators.
Historical Indicators of BlackSuit Activity
Despite the inevitable evolution of threat actor TTPs, BlackSuit’s historical attack signatures remain relevant to defenders. HHS, in their November 2023 bulletin on BlackSuit Ransomware, said that the group favored four methods for distributing their ransomware payloads, including infected email attachments, torrent websites, malicious ads (malvertising), and trojans.
Additionally, the bulletin highlighted seven MITRE ATT&CK techniques associated with BlackSuit ransomware operators: T1204 (User Execution), T1059 (Command and Scripting Interpreter), T1057 (Process Discovery), T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery). RevealX recognizes suspicious activity signals associated with the following TTPs cited by the HHS bulletin and tracked by the MITRE ATT&CK framework.
Tactic:
T1204:User Execution
RevealX can detect suspicious and external file downloads, along with specific high-profile common vulnerabilities and exposures (CVEs) like CVE-2022-30190. Regarding the command and scripting interpreter (T1059) TTP, RevealX provides coverage for a wide array of C2 frameworks, recon and enumeration tooling, and behavioral detection of interactive shells.
Tactic
T1082: System Information Discovery
RevealX can detect information enumeration such as schedule tasks and other relevant system information.
Tactic
T1083: File and Directory Discovery
RevealX provides performance and security detections for directory scans and enumeration. According to cybersecurity trade organization EC-Council Cybersecurity Exchange, enumeration is the “process of systematically probing a target for information” and can “provide attackers with a roadmap to entering a system by identifying open ports, usernames, and passwords.”
Tactic
T1486: Data Encrypted for Impact
RevealX also offers coverage for T1486 via its ransomware activity detection engine.
BlackSuit Ransomware: An Apex Predator and Big Game Hunter
If media reports about the CDK ransom payment are accurate, then BlackSuit has emerged as an apex predator in the realm of ransomware big game hunting (BGH). With a 76% increase in victims listed on BGH dedicated leak sites from 2022 to 2023, according to CrowdStrike, large high-value organizations are being aggressively targeted by Eastern European and Russia-nexus threat groups.
Whether the CDK attack was enabled by a breach of a third-party cloud provider, BGH targeting of large private-equity-backed companies with economies of scale, a weakly secured VPN, or other access vectors and selection criteria remains to be seen. Regardless, next-generation NDR solutions like RevealX can empower high-value enterprises with an essential defensive technology to detect malicious activity more instantaneously, enabling more rapid intervention and mitigation.
Discover more