Today > vulnerabilities   -   You can now download lists of IOCs here!

Threat Assessment: Distributors of BlackSuit Ransomware

Nov. 21, 2024, 9:23 a.m.

Tags
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
External References
Description

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of the victim's annual revenue. The group uses various initial access methods, including phishing, SEO poisoning, and supply chain attacks. They employ tools like Mimikatz, Cobalt Strike, and Rclone for credential theft, lateral movement, and data exfiltration. The ransomware has both Windows and Linux variants, with specific functionality to target VMware ESXi servers in some Linux versions. The group's sophisticated tactics and potential ties to former Conti and Royal ransomware members make them a significant threat.

Date

Published: Nov. 20, 2024, 10:03 p.m.

Created: Nov. 20, 2024, 10:03 p.m.

Modified: Nov. 21, 2024, 9:23 a.m.

Indicators

http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion/?id=[ID]

weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion

Download all indicators here!

Attack Patterns

NanoDump

Mimikatz

BlackSuit

SystemBC

GootLoader

Cobalt Strike - S0154

Ignoble Scorpius

Additional Informations

Construction

Education

Manufacturing

United States of America