BlackSuit Ransomware
Aug. 27, 2024, 9:06 a.m.
Description
The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside built-in Windows utilities, to establish a persistent foothold, exfiltrate data, and ultimately encrypt systems for financial gain. The investigation revealed the use of various obfuscation techniques, including process injection, proxy servers, and malleable command-and-control infrastructure, highlighting the actor's determination to evade detection.
Tags
Date
- Created: Aug. 27, 2024, 8:35 a.m.
- Published: Aug. 27, 2024, 8:35 a.m.
- Modified: Aug. 27, 2024, 9:06 a.m.
Indicators
- f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf
- e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d
- a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953
- 9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300
- 6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f
- 60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a
- 55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1
- 3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2
- 27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0
- 147.78.47.178
- 137.220.61.94
- zx.regsvcast.com
- wq.regsvcast.com
- qw.regsvcast.com
- as.regsvcast.com
- svchorst.com
Attack Patterns
- Get-DataInfo.ps1
- Rubeus
- BlackSuit
- SystemBC
- Sharphound
- Cobalt Strike - S0154
- T1558.004
- T1558.003
- T1021.002
- T1069.002
- T1550.002
- T1003.001
- T1569.002
- T1021.001
- T1490
- T1482
- T1018
- T1059.003
- T1059.001
- T1548
- T1547.001
- T1071.001
- T1518.001
- T1204.002
- T1486
- T1518
- T1082
- T1055
- T1560
- T1112
- T1090