What's going on?
A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia.
And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking gang.
Meanwhile, liberal arts college DePauw University in Indiana says that it was recently targeted, and a "limited amount of data on specific individuals was accessed." 214GB of stolen data has since been made available for download on BlackSuit's extortion site on the dark web.
How come I haven't heard of BlackSuit before?
Chances are that if you're interested in cybersecurity, you're not a complete stranger to BlackSuit. Although BlackSuit first appeared in May 2023, it appears to have strong links to the Royal ransomware gang, which itself was born out of the remains of the notorious Conti group.
Are you suggesting that BlackSuit is a rebranding of the Royal and Conti ransomware groups?
It's not just me. Last month the US Department of Health and Human Services (HHS) issued an advisory to the healthcare and public health sector about BlackSuit that described its "striking parallels" to Royal, and said it was the "direct successor to the notorious Russian-linked Conti operation."
The HHS warned that BlackSuit was "a threat actor to be closely watched in the near future".
So is BlackSuit another ransomware-as-a-service (RaaS) operation?
Not presently. Right now, it cannot be considered ransomware-as-a-service as there aren't any known affiliates of BlackSuit. Of course, that might change in the future - but it's possible that the malicious hackers behind BlackSuit are happy keeping their weapon (and the profits it generates) to themselves.
How will I know that my organisation has been hit by BlackSuit?
BlackSuit encrypts files on your Linux and Windows systems and appends a ".blacksuit" extension to affected files. It also changes your desktop wallpaper, and drops a ransom note (named "README.BlackSuit.txt".
Should I pay the ransom?
That's the six million dollar question. Or should that be the 139 Bitcoins question? :)
It's true to say that paying ransoms encourages ransomware attackers. If no organisations ever paid up, there would not be ransomware attacks. So, paying the malicious people attempting to extort your company is deeply unattractive.
However, not paying is not an easy decision for any victim to make. Even if they have a secure, unencrypted backup of their important data to rebuild their systems from, they will still have to handle the possible fall-out when sensitive information about their business, their employees, their suppliers, and their customers is released into the public domain by the criminals.
The repercussions of a data leak are not just potentially legal, but a company's public image and brand reputation may be seriously tarnished by hackers that publish exfiltrated data.
Ultimately, there is no good decision - only a choice between two unpleasant options.
So, what action should I take right now?
The best thing to do is to ensure that you have hardened defences in place before a ransomware attack, to reduce the chances of it succeeding and limiting any potential impact on your business.
The FBI and CISA have published mitigation guidance and a range of IOCs for both the Royal and BlackSuit ransomware families.
In addition, it would be wise to follow our recommendations on how to protect your organisation from other ransomware.
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Restrict an attacker's ability to spread laterally through your organisation via network segmentation.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Stay safe, and don't allow your organisation to be the next victim to fall foul of the BlackSuit ransomware group.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.