BlackSuit generates over $500M in ransom demands
Since its first appearance in 2022, the ransomware operation BlackSuit has demanded over $500 million from its victims.
The Cybersecurity & Infrastructure Security Agency (CISA) and FBI have updated a joint cybersecurity advisory on Wednesday, sharing the latest intel and findings on BlackSuit.
According to the security and intelligence agencies, the BlackSuit ransomware group was previously identified as Royal Ransomware, which was active between September 2022 and June 2023.
Both operations share common tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs).
“BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems,” the agencies say.
A study conducted by the FBI shows that Remote Desktop Protocol (RDP) compromise is the second most common attack vector for the BlackSuit operation. The FBI points out that BlackSuit members use legitimate remote monitoring and management software (RMM) to go unnoticed in their victim’s network.
Over the last two years, the BlackSuit ransomware gang has collected over $500 million in ransom money from its victims. In one particular case, the hacking group received $60 million in ransom. BlackSuit actors have demonstrated that they are willing to negotiate, but ransom demands typically range from 1 million to $10 million, which has to be paid in Bitcoin.
To protect a company’s computer network from BlackSuit, CISA, and the FBI recommend implementing a password policy. That means users must use long and unique passwords, avoid reusing passwords, disable password hints, change passwords frequently, and store passwords in a password manager.
Furthermore, the agencies advise implementing network segmentation (zero-trust), using multi-factor authentication (MFA) to protect accounts, keeping all software up-to-date, disabling unused ports, and making sure all backup data is encrypted.
Software developers, in turn, should embed security into their product architecture and make MFA a default setting rather than an opt-in feature.
Your email address will not be published. Required fields are marked