BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption
In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used.
For the first time ever, the MITRE ATT&CK® Enterprise Evaluation addressed sophisticated, multi-platform threats from both financially motivated threat actors and state-sponsored intelligence groups. In this demanding evaluation, Cybereason excelled with 100% detection, 100% accuracy, and 100% SOC efficiency without configuration changes needed.
Representing more accurately the tactics, techniques, and procedures of prolific criminal groups like Scattered Spider and sophisticated state-sponsored intelligence operations, the 2025 MITRE ATT&CK Enterprise Evaluation spanned endpoints, identity, and cloud elements commonly seen in hybrid environments. Achieving perfect scores in detection and protection with no false positives and only crucial alerts demonstrates the power of Cybereason.
*Performance numbers reflect vendors capabilities evaluated with no configuration changes
Across the board, Cybereason achieved the highest performance by:
Thanks to its AI-driven correlation engine and deep threat intelligence library enriched by frontline incident response insights, Cybereason demonstrated:
In the MITRE ATT&CK Enterprise Round 7 (ER7) evaluation, MITRE Engenuity expanded its realistic adversary emulation to test how enterprise security solutions detect and prevent modern attack techniques across endpoint, identity, and cloud domains. ER7 featured two distinct adversary scenarios modeled on the behaviors of real-world groups Scattered Spider (a financially motivated cybercriminal collective using social engineering, credential theft, and remote access tools) and Mustang Panda (a PRC state-sponsored espionage actor leveraging social engineering and legitimate tools to deploy custom malware), executing a comprehensive set of tactics, techniques, and procedures drawn from the ATT&CK framework over 16 attack steps and ~90 sub-steps.
Vendors’ EDR/XDR platforms were evaluated on their ability to provide visibility and context for these techniques, from initial access and credential theft through lateral movement, persistence, and impact, with performance measured in terms of detection and prevention coverage across the mapped ATT&CK techniques.
ER7 differed from earlier MITRE ATT&CK evaluations by explicitly incorporating cloud and hybrid enterprise environments alongside traditional on-prem endpoints, reflecting how modern attacks span identity, SaaS, and infrastructure layers. The evaluation emphasized identity-centric abuse, cloud service misuse, and cross-environment lateral movement, rather than focusing primarily on endpoint malware execution. By modeling adversaries that blended social engineering, legitimate tooling, and cloud access, ER7 tested whether security platforms could deliver correlated visibility across endpoint, identity, and cloud control planes, a step change from prior, more endpoint-heavy rounds.
Cybereason’s detection accuracy remained consistently high across key adversary behaviors, including:
This visibility is clearly reflected with Cybereason consistently reporting 100% Technique-level detections across meaningful substeps while excluding irrelevant setup noise (as requested).
A strong detection rate is only meaningful when paired with low noise. Cybereason excelled here as well. Across the evaluated techniques, Cybereason demonstrated minimal false positives and high signal-to-noise ratio.
False positives waste analyst time, degrade trust in the platform, and increase operating costs. Cybereason’s performance, achieved without inflating the detection surface, is a direct reflection of the platform's AI-driven correlation engine and its deep threat intelligence library.
Under ER7, the “Protection” criteria measured a product’s ability to actively disrupt or stop adversary behavior, not just detect or alert on it. MITRE evaluated whether techniques were blocked, prevented from executing, or otherwise neutralized in real time across endpoint, identity, and cloud contexts, including credential abuse and remote access activity.
Unlike earlier rounds where protection results were more limited or endpoint-centric, ER7 placed greater emphasis on preventing identity-driven and hybrid attack paths, highlighting which platforms could meaningfully reduce attacker progress versus simply providing post-execution visibility.
Unlike vendors that spike in one category and fall short in others, Cybereason’s results show:
This indicates a platform that does not rely on signatures or isolated point detections, but rather on a holistic understanding of attacker behavior.
Executives evaluating security platforms look for solutions that reduce risk without increasing complexity or cost. Cybereason’s MITRE results reinforce its strength in delivering:
Cybereason’s consistently accurate detections across these areas show that the platform is fully aligned with modern enterprise attack surfaces, not just traditional endpoints.
For any leader evaluating cybersecurity platforms, the ER7 MITRE results tell a clear story:
Cybereason provides world-class detection accuracy, extremely low false positives, and unparalleled visibility across the modern attack surface.
With a 100% detection rate, consistent technique-level coverage, and strong cloud/identity detection performance, Cybereason delivers exactly what enterprises need:
Cybereason didn’t just participate in MITRE. It set the standard.
In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used.
“I am incredibly impressed with not only Cybereason’s rapid expansion across the Asia Pacific region, but their operation-centric security approach to helping defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves..."