Blacksuit
Blacksuit is a private ransomware/extortion group that surfaced in early April/May of 2023. It bears numerous similarities to Royal Ransomware, suggesting it may be a spinoff or a rebranding effort.

The origin of Blacksuit
Blacksuit is a private ransomware/extortion group that emerged in early April/May of 2023. The group shares various similarities with Royal Ransomware, leading experts to speculate that Blacksuit may be a spinoff or a rebranding of the earlier group.
Royal Ransomware, itself a reboot of Conti, gained notoriety for its highly targeted attacks on critical infrastructure sectors and its sophisticated methods of gaining initial access, elevating privileges, and evading detection.
Building on this foundation, Blacksuit appears to continue the legacy with refined techniques and a focused approach to extortion, targeting similar high-value industries and leveraging advanced tactics to breach and encrypt the networks of their victims.

Countries targeted by Blacksuit
BlackSuit operates on a global scale, with significant activity reported in:
- North America: Particularly the United States and Canada.
- Europe: Including notable incidents in Italy and the United Kingdom.
- Asia: South Korea has reported multiple attacks.
- South America: Brazil is a notable target within this region.

Industries targeted by Blacksuit
According to SOCradar, Blacksuit predominantly targets the following industries:
- Educational Services (22.7%): This is the most targeted sector, reflecting the vulnerability of educational institutions to ransomware attacks.
- Public Administration (13.6%): Government bodies are frequently attacked, causing significant disruption to public services.
- Construction, Professional, Scientific, and Technical Services, Wholesale Trade, Manufacturing (9.1% each): These sectors are also heavily targeted due to their critical nature and the potential high impact of disruptions.
- Other industries: Including Retail Trade, Transportation and Warehousing, Information Services, Arts, Entertainment, and Recreation, Health Care, and Other Services (4.5% each).

Blacksuit's victims
Blacksuit targeted more than 96 victims. High-profile victims of Blacksuit include major educational institutions, government agencies, construction companies, professional service firms, and healthcare providers. These attacks often result in significant operational disruptions and data breaches.

Blacksuit's Attack Method

Blacksuit often gains initial access through phishing emails, exploiting vulnerabilities in public-facing applications, and employing malicious attachments or links.

Once inside the network, the attackers exploit vulnerabilities to elevate their privileges, often using tools like Mimikatz to obtain higher-level access.

The group employs various techniques to avoid detection, including disabling security tools, using obfuscated code, and leveraging trusted system processes.

Blacksuit uses keyloggers, credential dumping tools, and brute force attacks to gather usernames and passwords.

They conduct extensive reconnaissance within the network to understand its structure, identifying critical systems and sensitive data.

Utilizing legitimate administrative tools and compromised credentials, the attackers move laterally across the network to infect more systems.

Blacksuit collects and exfiltrates sensitive data to pressure victims into paying the ransom. This often includes financial data, personal information, and proprietary business information.

The ransomware is deployed and executed to encrypt the files on the compromised systems.

Data is exfiltrated to external servers controlled by the attackers, often using encrypted channels to avoid detection.

The final stage involves encrypting the victim's data and systems, rendering them unusable. A ransom note is then presented, demanding payment in cryptocurrency to decrypt the files.

Blacksuit often gains initial access through phishing emails, exploiting vulnerabilities in public-facing applications, and employing malicious attachments or links.

Once inside the network, the attackers exploit vulnerabilities to elevate their privileges, often using tools like Mimikatz to obtain higher-level access.

The group employs various techniques to avoid detection, including disabling security tools, using obfuscated code, and leveraging trusted system processes.

Blacksuit uses keyloggers, credential dumping tools, and brute force attacks to gather usernames and passwords.

They conduct extensive reconnaissance within the network to understand its structure, identifying critical systems and sensitive data.

Utilizing legitimate administrative tools and compromised credentials, the attackers move laterally across the network to infect more systems.

Blacksuit collects and exfiltrates sensitive data to pressure victims into paying the ransom. This often includes financial data, personal information, and proprietary business information.

The ransomware is deployed and executed to encrypt the files on the compromised systems.

Data is exfiltrated to external servers controlled by the attackers, often using encrypted channels to avoid detection.

The final stage involves encrypting the victim's data and systems, rendering them unusable. A ransom note is then presented, demanding payment in cryptocurrency to decrypt the files.
TTPs used by Blacksuit
How to Detect Blacksuit with Vectra AI
FAQs
What is Blacksuit ransomware?
Blacksuit is a ransomware group known for targeting critical infrastructure sectors and using advanced tactics to breach and encrypt victim networks.
How does Blacksuit typically gain initial access to a network?
They often use phishing emails, exploit vulnerabilities in public-facing applications, and send malicious attachments or links.
Which industries are most frequently targeted by Blacksuit?
Educational services, public administration, construction, professional and technical services, wholesale trade, and manufacturing are primary targets.
What techniques does Blacksuit use for privilege escalation?
They exploit software vulnerabilities and use tools like Mimikatz to gain higher-level access.
How does Blacksuit evade detection?
They use techniques such as disabling security tools, obfuscating code, and leveraging trusted system processes.
What methods are used by Blacksuit for credential access?
They employ keyloggers, credential dumping tools, and brute force attacks.
How do Blacksuit perform lateral movement within a network?
By using legitimate administrative tools and compromised credentials to access additional systems.
What types of data do Blacksuit exfiltrate?
Financial data, personal information, and proprietary business information are commonly exfiltrated.
How do Blacksuit execute the ransomware payload?
The ransomware is deployed and executed to encrypt files on the compromised systems.
What are some effective defenses against Blacksuit?
Implementing strong phishing defenses, regular vulnerability patching, robust credential management, and extended detection and response (XDR) solutions are crucial.