Have you heard of the ransomware strain, BlackSuit? Previously branded as Royal Ransomware, operators of this attack have secured as much as $500 million in demands in ransoms to date. This has raised the threat level and awareness of BlackSuit: the U.S. Cybersecurity and Infrastructure Security Agency and the FBI released a joint advisory that details the methods of BlackSuit ransomware IOC and TTP attacks. An IOC (Indicator of Compromise) is a sign that shows a computer, or network may have been attacked. It could be a strange file, unusual activity, or a virus. A TTP (Tactics, Techniques, and Procedures) attack refers to the methods and steps that hackers use to carry out an attack. It’s like their playbook, showing how they plan and execute their crime, from sneaking into a system to stealing information. It also warns that these bad actors have been utilizing unusual strategies to secure financial leverage; however, these unusual strategies have demonstrated high effectiveness.
According to the advisory: “BlackSuit conducts data exfiltration and extortion before encryption and then publishes victim data to a leak site if a ransom is not paid.” In other words, this is no idle threat. BlackSuit operators primarily utilize phishing emails to gain access to their victims’ networks, upon which they disable antivirus software to deploy ransomware and re-encrypt the network. These attacks tend to range from anywhere from $1 to $10 million in ransom that is paid out in Bitcoin; interestingly, the operators have demonstrated a willingness to negotiate the price of the ransom. Perhaps more menacingly, the agencies have observed an increase in telephonic or email communications to victims, which only further demonstrates these actors are more than willing to back up their threats. Experts note that there is no apparent specific discrimination when it comes to industry or type of target, save a preference for healthcare, education and internet technologies organizations. With the financial risks at stake, the FBI recommends sufficient password protection for all accounts, including multi-factor authentication. All systems and software should be upgraded/patched when available to avoid damages by BlackSuit operators—if it is possible to segment your network, that will also help to limit exposure if a breach occurs. Another critical step is to use anti-malware software that can detect/block known ransomware variants through pattern recognition. And as always, make sure that you routinely look at your network traffic to see whether there are any unusual network traffic patterns or communication with known command-and-control servers.