FBI and CISA Alert on BlackSuit Ransomware Demanding Up to $500 Million

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated warning about a dangerous ransomware strain known as BlackSuit, which has reportedly demanded ransoms as high as $500 million. In one instance, a single ransom demand reached a staggering $60 million.

According to the advisory, BlackSuit ransomware attackers are open to negotiating ransom amounts. However, the exact ransom isn’t mentioned in the initial ransom note. Instead, victims must interact directly with the attackers through a .onion URL, which is only accessible via the Tor browser, provided after the files have been encrypted.

This ransomware has targeted several critical infrastructure sectors, including commercial facilities, healthcare and public health services, government buildings, and essential manufacturing operations. BlackSuit represents an evolution of the Royal ransomware and typically gains initial access to systems through phishing emails. These emails are used to disable antivirus software and steal sensitive data before the ransomware is deployed to encrypt the victim’s systems.

The attackers also use other common methods to infiltrate systems, such as exploiting the Remote Desktop Protocol (RDP), attacking vulnerable internet-facing applications, and purchasing access from initial access brokers (IABs).

Once inside the network, BlackSuit actors maintain persistence using legitimate remote monitoring and management (RMM) software. They also employ tools like SystemBC and GootLoader malware. To further their control, they use software like SharpShares and SoftPerfect NetWorx to map out the victim’s network, and tools such as Mimikatz from Nirsoft to steal credentials. Additionally, they use PowerTool and GMER to terminate system processes that might hinder their operations.

In a concerning trend, CISA and the FBI have noted an increase in cases where victims receive direct phone calls or emails from BlackSuit attackers. This tactic is becoming more common among ransomware groups, as it increases the pressure on victims to pay the ransom.

A cybersecurity firm has observed that ransomware gangs are not only threatening organizations directly but are also extending their threats to secondary victims. For example, in January 2024, attackers threatened to “swat” patients of a cancer hospital and sent threatening text messages to a CEO’s spouse.

Moreover, attackers have been known to examine stolen data for evidence of illegal activities, regulatory violations, and financial irregularities. These aggressive tactics not only serve to increase pressure on the victims to pay but also aim to damage their reputation by portraying them as unethical or negligent.

This warning comes at a time when new ransomware families, such as Lynx, OceanSpy, Radar, Zilla (a variant of Crysis/Dharma ransomware), and Zola (a variant of Proton ransomware), are emerging. At the same time, existing ransomware groups are continuously evolving their methods, incorporating new tools and techniques.

One notable case is Hunters International, a group that has been observed using a new C#-based malware called SharpRhino as an initial infection vector and remote access trojan (RAT). This malware, a variant of the ThunderShell family, is delivered through a typosquatting domain that impersonates the popular network administration tool Angry IP Scanner.

Recent reports reveal that as recently as January 2024, malvertising campaigns were distributing this malware. The open-source RAT, also known as Parcel RAT and SMOKEDHAM, establishes persistence on the victim’s device upon execution, granting the attacker remote access. This access allows them to advance their attack with minimal interference.

Preventing BlackSuit ransomware requires a multi-layered security approach. Ensure that your systems are regularly updated with the latest security patches, and train employees to recognize phishing emails that may serve as the entry point for the ransomware. Implement strong endpoint protection and regularly back up critical data in secure, offline locations. By following these practices, you can reduce the risk of a ransomware attack on your organization.