BlackSuit Ransomware
Aug. 27, 2024, 9:06 a.m.
Tags
External References
Description
The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside built-in Windows utilities, to establish a persistent foothold, exfiltrate data, and ultimately encrypt systems for financial gain. The investigation revealed the use of various obfuscation techniques, including process injection, proxy servers, and malleable command-and-control infrastructure, highlighting the actor's determination to evade detection.
Date
Published: Aug. 27, 2024, 8:35 a.m.
Created: Aug. 27, 2024, 8:35 a.m.
Modified: Aug. 27, 2024, 9:06 a.m.
Indicators
f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf
e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d
a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953
9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300
6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f
60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a
55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1
3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2
27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0
147.78.47.178
137.220.61.94
zx.regsvcast.com
wq.regsvcast.com
qw.regsvcast.com
as.regsvcast.com
svchorst.com
Attack Patterns
Get-DataInfo.ps1
Rubeus
BlackSuit
SystemBC
Sharphound
Cobalt Strike - S0154
T1558.004
T1558.003
T1021.002
T1069.002
T1550.002
T1003.001
T1569.002
T1021.001
T1490
T1482
T1018
T1059.003
T1059.001
T1548
T1547.001
T1071.001
T1518.001
T1204.002
T1486
T1518
T1082
T1055
T1560
T1112
T1090