ReliaQuest reveals BlackSuit ransomware details in 2024 customer incident
In April 2024, ReliaQuest identified a cyberattack orchestrated by the BlackSuit ransomware group, marking the onset of significant disruption for a customer. The attack involved Kerberoasting, a technique that led to the encryption of critical systems and the exfiltration of sensitive data. Since its emergence in May 2023, BlackSuit has targeted numerous US-based organisations across critical sectors like education and industrial goods. ReliaQuest's Threat Research team unveiled that BlackSuit leveraged tools such as PsExec for lateral movement and utilised virtual machines to execute its ransomware, reflecting the group's methodical approach. It is the onset of significant disruption for one of its customers
The attack lifecycle, as detailed in ReliaQuest's investigation, began with the initial access achieved through brute-forcing a misconfigured VPN. This access was likely facilitated by an initial access broker who then handed it off to BlackSuit or its affiliates. The encryption phase was executed through the Windows Management Instrumentation Command line (WMIC). The analysis highlights the challenges of mitigating straightforward tactics, techniques, and procedures (TTPs), such as brute-force attacks and FTP for exfiltration, stressing the need for improved defensive measures.
BlackSuit first came to the attention of security researchers in May 2023. Similarities have been drawn between BlackSuit and the Royal ransomware operation, which itself is seen as a successor to the disbanded Conti ransomware gang. Since its inception, BlackSuit has targeted 53 organisations, predominantly based in the USA, spanning diverse industry verticals such as education, industrial goods, and construction. This pattern suggests a financial motivation, focusing on sectors with typically smaller cybersecurity budgets and a low tolerance for operational downtime, thus increasing the likelihood of ransom payments.
The ReliaQuest report delineates BlackSuit's tactics during the attack. Initial access was gained via a compromised VPN account, likely through brute force or credentials from an external source. The VPN gateway, located at a disaster recovery site, lacked multi-factor authentication (MFA) or certificate requirements, allowing the adversary to establish a foothold.
Lateral movement within the network was primarily conducted using PsExec, a remote administration tool. The attacker paused activity, suggesting a handover from an initial access broker to the BlackSuit ransomware group or its affiliates. The lack of comprehensive endpoint detection and response (EDR) solutions and incomplete event logging from workstations made it challenging to trace the lateral movements during the triage phase.
Approximately ten days after the initial breach, BlackSuit began accessing a Windows server using newly acquired credentials, deploying Rubeus, a tool for Kerberos abuse, through PowerShell. The adversary compromised over 20 user accounts via Kerberoasting, and one account was additionally compromised through AS-REP roasting, leading to the dumping of NTDS.DIT files from domain controllers and compromising the entire forest.
The exfiltration phase saw over 100GB of data transmitted to an external IP address via an unmonitored Windows server using FTP. The attacker utilised 7zip and WinSCP to stage and transfer the data. This phase underlines the difficulty of detecting and preventing data exfiltration, emphasising the need for layered network defence strategies and comprehensive data loss prevention (DLP) solutions.
The final phase involved deploying the ransomware payload via a Windows virtual machine. The threat actor used PsExec to copy the payload to multiple hosts and executed the encryption using WMIC. This method mirrors tactics seen in Royal ransomware attacks, reinforcing the potential connection between these groups.
In response, the compromised organisation implemented several immediate actions, including domain-wide password resets, isolating the compromised site, and utilising endpoint security solutions for remediation. ReliaQuest's GreyMatter Digital Risk Protection (DRP) was also configured to monitor potential data leaks.
The investigation revealed that basic but effective TTPs were used by BlackSuit, highlighting the importance of proper VPN configuration, comprehensive endpoint visibility, and implementing automated response mechanisms as key strategies in thwarting such attacks. Ensuring robust defences and accurate configurations can detect and mitigate these common TTPs, minimising the impact on organisations.