To date, the ransomware known as BlackSuit has demanded up to $500 million in ransoms, with one ransom demand reaching $60 million.
This is stated in the updated recommendation of the US Cyber Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
“BlackSuit actors have demonstrated a willingness to negotiate payment amounts,” the agency reported. said. “Ransom amounts are not part of the initial ransom message, but require direct interaction with the threat actor via the .onion URL (accessible via the Tor browser) provided after encryption.”
Ransomware attacks have targeted several critical infrastructure sectors, covering commercial facilities, healthcare and healthcare, government agencies, and critical industries.
Evolution Royal Ransomwareit uses initial access gained through phishing emails to disarm antivirus software and steal sensitive data before finally deploying ransomware and encrypting systems.
Other common routes of infection include the use of Remote Desktop Protocol (RDP), the use of vulnerable programs that are exposed to the Internet, and access purchased through Initial Access Brokers (IABs).
BlackSuit actors are known to use legitimate Remote Monitoring and Management (RMM) software and similar tools SystemBC and GootLoader malware to maintain stability in victim networks.
“BlackSuit members were observed using SharpShares and SoftPerfect NetWorx to enumerate victims’ networks,” the agencies noted. “The publicly available Mimikatz credential theft tool and password harvesting tools from Nirsoft were also found on victim systems. Tools like PowerTool and GMER are often used to kill system processes.”
CISA and the FBI warn of an increase in victims receiving phone or email messages from BlackSuit members regarding compromise and ransom. This tactic is increasingly used by extortionist groups to increase pressure.
“In recent years, threat actors seem increasingly interested not only in threatening organizations directly, but also in collateral victims,” said cybersecurity firm Sophos. said in a report released this week. “For example, as reported in January 2024, attackers threatened to ‘break up’ patients of an oncology hospital and sent threatening text messages to the CEO’s wife.”
That’s not all. The threat actors also said they were evaluating the stolen data for evidence of illegal activity, regulatory non-compliance and financial irregularities, even going so far as to say that an employee of the hacked organization had searched for material about child sexual abuse by posting it online in browser history .
Such aggressive methods can not only be used as additional leverage to force their targets to pay, they also damage reputations by criticizing them as unethical or negligent.
The development comes amid the emergence of new ransomware families, such as Lynx, OceanSpy, Radar, Zilla (Crysis/Dharma ransomware variant) and Zola (proton ransomware variant) in the wild, despite the fact that existing ransomware groups are constantly improving their modus operandi by adding new tools to their arsenal.
Case example International hunter, which was spotted using a new C#-based malware called SharpRhino as the initial infection vector and Remote Access Trojan (RAT). Variant of Art ThunderShell malware family, it is delivered via a typosquatting domain that mimics the popular network administration tool Angry IP Scanner.
It should be noted that there were malicious campaigns spotted malware delivery in January 2024, according to eSentire. Also called open source RAT Parcel RAT and WITHERING.
“Once executed, it establishes resilience and provides the attacker with remote access to the device, which is then used to advance the attack,” Michael Foret, researcher at Quorum Cyber. said. “Using previously unseen techniques, the malware is able to obtain a high level of resolution on the device to ensure that the attacker can execute the targeting with minimal disruption.”
Hunters International is billed as a rebranding of the defunct Hive ransomware group. First discovered in October 2023, it claimed responsibility for 134 attacks in the first seven months of 2024.
