CISA, in collaboration with the FBI, has published a joint advisory on the BlackSuit<\/a> Ransomware group. The advisory includes recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) related to BlackSuit operation, which rebrands legacy Royal ransomware<\/a>, identified by FBI investigations as recent as July 2024. The BlackSuit ransomware has targeted various critical infrastructure sectors, including commercial facilities, healthcare, government, and manufacturing. The report is part of the #StopRansomware initiative conducted by the US Government, the advisory, originally published on March 2, 2023, has been updated twice:<\/p>\n\n\n\n
The BlackSuit actors gain initial access to victim networks through several methods, including Phishing campaigns, Remote Desktop Protocol (RDP) (Used in about 13.3% of incidents), exploiting vulnerabilities in public-facing applications and using initial access provided by access brokers and harvesting VPN credentials from stealer logs.<\/p>\n\n\n\n
Historically, Royal actors were observed leveraging\u00a0Chisel<\/code>, Secure Shell (SSH)\u00a0client,\u00a0PuTTY,\u00a0OpenSSH, and MobaXterm for C2 communications.<\/p>\n\n\n\n
The group uses SharpShares and SoftPerfect NetWorx to map out victim networks. They threat actors also use Mimikatz and Nirsoft tools to steal credentials and harvest passwords. Additionally, they often deploy tools like PowerTool and GMER to terminate system processes.
\n- <\/li>\n<\/ol>\n\n\n\n
The group exfiltrates data stolen from victim networks using post-exploitation tools, such as\u00a0Cobalt Strike<\/a>, and malware such as\u00a0Ursnif<\/a>.<\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, ransomware)<\/strong><\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"