Back

BlackSuit Ransomware

Aug. 27, 2024, 9:06 a.m.

Tags

ransomware
cobalt strike
discovery
lateral movement
credential access
cobaltstrike
blacksuit
systembc
2024-08-27
sharphound
get-datainfo.ps1
rubeus

External References

https://thedfirreport.com/

https://otx.alienvault.com/

Description

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside built-in Windows utilities, to establish a persistent foothold, exfiltrate data, and ultimately encrypt systems for financial gain. The investigation revealed the use of various obfuscation techniques, including process injection, proxy servers, and malleable command-and-control infrastructure, highlighting the actor's determination to evade detection.

Date

Published Created Modified
Aug. 27, 2024, 8:35 a.m. Aug. 27, 2024, 8:35 a.m. Aug. 27, 2024, 9:06 a.m.

Indicators

f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf

e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d

a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953

9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300

6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f

60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a

55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1

3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2

27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0

147.78.47.178

137.220.61.94

Attack Patterns

Get-DataInfo.ps1

Rubeus

BlackSuit

SystemBC

Sharphound

Cobalt Strike - S0154

T1558.004

T1558.003

T1021.002

T1069.002

T1550.002

T1003.001

T1569.002

T1021.001

T1490

T1482

T1018

T1059.003

T1059.001

T1548

T1547.001

T1071.001

T1518.001

T1204.002

T1486

T1518

T1082

T1055

T1560

T1112

T1090