BlackSuit Ransomware Detection: Ignoble Scorpius Escalates Attacks, Targets 90+ Organizations Worldwide
Table of contents:
Emerging last year as the successor to Royal ransomware, BlackSuit has quickly evolved into a highly sophisticated malicious spinoff, aggressively targeting organizations worldwide. Security researchers have recently observed a significant surge in activity by the Ignoble Scorpius group, the operator behind BlackSuit, with over 90 organizations falling victim to their relentless intrusions.
Detect BlackSuit Ransomware
BlackSuit ransomware is gaining momentum in 2024, actively targeting multiple organizations with a sharp focus on the construction, manufacturing, and education industries. To stay on top of the potential attacks, security researchers can rely on the SOC Prime Platform for collective cyber defense offering a set of relevant Sigma rules backed by a complete product suite for advanced threat detection & hunting.
To access a curated detection stack addressing malicious activity linked to BlackSuit ransomware, hit the Explore Detections button below or search detections right in Threat Detection Marketplace by using a “BlackSuit Ransomware” tag.
Additionally, cyber defenders might dive into Ignoble Scorpius TTPs by exploring a detection stack accessible by “Ignoble Scorpius” tag in the SOC Prime Platform.
All detection rules are compatible with over 30 SIEM, EDR, and Data Lake solutions and are mapped to the MITRE ATT&CK framework. Furthermore, the detection algorithms are enriched with extensive metadata, including CTI references, attack timelines, and triage recommendations, streamlining threat investigation.
BlackSuit Ransomware Analysis
Unit 42 researchers have recently uncovered a spike in BlackSuit ransomware activity since early spring 2024, indicating a surge in offensive campaigns. The notorious strain, which is a rebranding of Royal ransomware posing a significant menace to cyber defenders since 2023, is attributed to the group tracked as Ignoble Scorpius. Following the rebranding, over 93 victims have been identified globally, with approximately 25% concentrated in the construction and manufacturing industries, predominantly within the United States.
Like its predecessor, BlackSuit also runs a dark web leak site where it publishes the names and stolen data of its victims to pressure them into paying a ransom. Notably, the group’s initial ransom demands typically average around 1.6% of the victim organization’s annual revenue. With a median victim revenue of approximately $19.5 million across industries, these ransom demands represent a substantial financial burden for affected organizations.
In August 2024, the FBI and CISA issued an alert warning defenders of the rise of BlackSuit ransomware and its growing threat to global organizations. The joint cybersecurity advisory pointed to the group’s increasing ransom demands exceeding $500 million.
Ignoble Scorpius employs a range of tactics to gain initial access, often utilizing Initial Access Brokers (IABs) who provide stolen credentials or other unauthorized network access. Researchers have identified several methods used by the group, including phishing emails with malicious attachments, SEO poisoning through GootLoader, social engineering or vishing to acquire stolen VPN credentials, and software supply chain compromises. For credential harvesting, Ignoble Scorpius frequently relies on tools like Mimikatz and NanoDump to gain further network access.
After gaining privileged access, such as domain admin rights, BlackSuit maintainers dump the NTDS.dit file using ntdsutil to compromise the domain controller. For lateral movement, the group employs RDP, SMB, and PsExec. They also leverage vulnerable drivers and loaders, identified as STONESTOP and POORTRY, to disable antivirus and EDR tools and facilitate detection evasion.
The group’s primary payload is the BlackSuit ransomware, which targets both Windows and Linux instances, including VMware ESXi servers. Additional tools like Cobalt Strike and SystemBC are used for persistence and command execution, though it’s unclear if they were deployed by Ignoble Scorpius or an IAB.
The Windows-based BlackSuit variant utilizes a command-line argument, -id, along with a unique 32-character identifier to target victims and provide access to a private negotiation chat through the ransom note. To prevent reinfection, the malware uses a mutex and employs tools like PsExec and WMIC to distribute and execute the ransomware across hundreds of hosts via SMB. Additionally, researchers have noted the use of VirtualBox to create a virtual machine for payload delivery. To ensure maximum encryption, BlackSuit terminates known processes and services using Windows Restart Manager to close open files, while avoiding critical processes like Windows Explorer. The ESXi variant, which is Linux-based, specifically targets virtual machines and introduces two additional command-line flags compared to its Windows counterpart.
Despite not yet ranking among the top ransomware gangs, Ignoble Scorpius stands out for conducting sophisticated supply chain attacks, having compromised at least 93 organizations without a RaaS model, which requires ultra-responsiveness from defenders to help organizations minimize the risks of ransomware attacks. By leveraging SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, progressive organizations can proactively thwart ransomware attacks and any emerging threats of increased sophistication to risk-optimize their cybersecurity posture.