A new report into the activity of the BlackSuit ransomware gang reveals in-depth hacker habits and tactics.
The BlackSuit ransomware gang is relatively new, first observed only about a year ago. Still, it’s already racked up more than 50 victims on its leak site, including Australian property valuation firm Herron Todd White.
However, researchers at cyber security outfit ReliaQuest recently observed the gang in action.
After responding to a cyber incident in April 2024, ReliaQuest’s people were able to analyse the group’s tactics, techniques, and procedures, developing a forensic timeline of the group’s specific activity targeting a single victim.
BlackSuit itself appears to be an evolution of several older groups, with similarities noted between it and the Royal ransomware group, a spin-off of the Conti group, which broke up in the wake of Russia’s invasion of Ukraine in 2022.
That being said, BlackSuit’s modus operandi is likely indicative of how many such groups go about their business.
D+0: Initial access
According to ReliaQuest, an unknown threat actor gained VPN access to the unnamed victim in early April 2024, likely via brute-forcing the credentials or taking advantage of a user/password combination from a prior leak. Multifactor authentication was not enabled on the specific firewall, as it was a non-primary gateway at a disaster recovery site, making it a useful target of opportunity.
D+7: Undetected lateral movement
In the week that followed the threat actor – likely an initial access broker – achieved lateral movement across a number of Windows devices. The broker made use of a remote access tool, PsExec, which was already installed on the systems.
Unfortunately, given the nature of the site, event logs were not forwarded and proper endpoint detection and response were not in use. The hacker was able to move laterally without immediate detection, with ReliaQuest only discovering their tracks during a later forensic investigation.
D+10: BlackSuit steps into the picture
According to ReliaQuest, there was then a gap of three days until the next threat actor activity. This is likely the broker then selling their access to the network to BlackSuit or one of the gang’s affiliates.
Once BlackSuit had access, the next stage of the operation commenced. BlackSuit used this access to authenticate to a Windows server, most likely from the VPN, though, without any logs, this is impossible to confirm.
BlackSuit’s hackers then used a technique known as Kerberoasting to compromise more than 20 user accounts, including one called “admin1” – a domain administrator.
Kerberoasting is a form of post-exploitation attack in which the hacker requests a Kerberos ticket encrypted with the hash of a service account password for any affiliated service principal name, or SPN. This ticket can then be cracked offline without the victim becoming aware that an attack is in progress.
With admin access, BlackSuit was able to download several NTDS.DIT files, which led to the compromise of the entire network.
D+10: Exfiltration
Now the attack begins to progress in leaps of hours rather than days.
Several hours later, the admin1 account infiltrated a file archiving utility and an FTP tool. An unmonitored Windows server then initiated several FTP connections to an external device about 30 minutes later, with more than 100 gigabytes of data exfiltrated over the next six hours.
Once that was done, the attackers installed VirtualBox and set up a virtual machine to obfuscate the next stage of the attack – the actual deployment of ransomware. This again relied on PsExec, this time on the attacker’s malicious VM, to copy the ransomware payload from a network share to “hundreds of hosts”. The ransomware was then loaded as a library, and the encryptor went to work.
At this point, the victim became aware of the attack and began remediation work.
“The investigation into the BlackSuit ransomware attack revealed a relatively straightforward set of TTPs,” ReliaQuest’s threat research team said in a blog post.
“These techniques are not novel, and their continued success highlights the efficacy of the techniques and the difficulty of appropriate mitigation. In this case, correctly configuring the VPN, more complete endpoint visibility, and implementing automated response or containment plays could have prevented impact earlier in the attack chain.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.