Rewterz Threat Alert – BlackSuit Encryptor Bolsters The Arsenal Of The Royal Ransomware Gang – Active IOCs

Severity

High

Analysis Summary

According to recent reports, the Royal ransomware gang has begun testing a new encryptor called BlackSuit, which shares many similarities with the operation’s usual encryptor. 

BlackSuit is a new ransomware family that was first discovered in May 2023, and it has been found to be significantly similar to the Royal ransomware family. The similarities between the two ransomware strains have led researchers to speculate that BlackSuit is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family. 

It appears that since late April, there have been rumors that the Royal ransomware operation was planning to rebrand under a new name, possibly due to increased pressure from law enforcement after attacking the City of Dallas, Texas. In May, a new ransomware operation called BlackSuit was discovered, which used its own branded encryptor and Tor negotiation sites. Some researchers speculated that BlackSuit was the new name for the Royal ransomware group, but a rebranding never occurred, and the Royal group is still actively attacking enterprises while using BlackSuit in limited attacks. 

According to Yelisey Bohuslavskiy from RedSense, the Royal gang uses both Royal and BlackSuit lockers, with Emotet and IcedID as precursors. They are focused on developing custom precursor loaders and exploring alternatives to CobaltStrike, such as Sliver. While they experiment with new tools like the BlackSuit locker, it’s possible that these attempts are considered failed experiments.

The BlackSuit operation seems to be self-contained, possibly indicating that Royal is planning to launch a subgroup targeting specific types of victims or saving it for a future rebranding.

However, a rebranding may no longer be effective, as a report by Trend Micro reveals clear similarities between the BlackSuit and Royal ransomware encryptors, making it difficult to convince others that it is a completely new operation. Although the extent of the BlackSuit encryptor’s use is uncertain, it has been observed in a small number of attacks, with ransom amounts currently below $1 million. While only one victim is listed on their data leak site at present, that could change if the BlackSuit encryptor is more widely deployed.

It is still unclear if the BlackSuit encryptor is the beginning of a new Royal gang subgroup or a failed experiment. Nonetheless, network defenders should be aware of the expertise possessed by Royal in breaching networks and deploying their encryptors.

Impact

• File Encryption

Indicators of Compromise

MD5

• 748de52961d2f182d47e88d736f6c835
• 9656cd12e3a85b869ad90a0528ca026e
• 4f813698141cb7144786cdc6f629a92b
• 2902e12f00a185471b619233ee8631f3

SHA-256

• 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
• 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e
• 4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
• b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c

SHA-1

• 30cc7724be4a09d5bcd9254197af05e9fab76455
• 861793c4e0d4a92844994b640cc6bc3e20944a73
• 69feda9188dbebc2d2efec5926eb2af23ab78c5d
• 7e7f666a6839abe1b2cc76176516f54e46a2d453

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Enforce strong password policies and consider implementing multi-factor authentication (MFA) to enhance access security. 
•  Deploy reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms. 
• Implement a robust backup strategy that includes regular and automated backups of critical data. Ensure that backups are stored securely offline or in an isolated environment to prevent ransomware from encrypting backup files.