{
	"id": "87d1770f-2103-4569-b396-93ef744bdb64",
	"created_at": "2026-04-06T00:14:32.625135Z",
	"updated_at": "2026-04-10T13:13:00.328372Z",
	"deleted_at": null,
	"sha1_hash": "86c16c78d56e912918a37d7129b9617aae166c85",
	"title": "#StopRansomware: Blacksuit (Royal) Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 198284,
	"plain_text": "#StopRansomware: Blacksuit (Royal) Ransomware | CISA\r\nPublished: 2024-08-27 · Archived: 2026-04-05 22:19:56 UTC\r\n1. Prioritize remediating known exploited vulnerabilities.\r\n2. Train users to recognize and report phishing attempts.\r\n3. Enable and enforce multifactor authentication.\r\nSummary\r\nNote: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network\r\ndefenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories\r\ninclude recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)\r\nto help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to\r\nlearn more about other ransomware threats and no-cost resources.\r\nNote: This advisory, originally published March 2, 2023, has been updated four times:\r\nNovember 13, 2023: The advisory was updated to share new Royal TTPs and IOCs.\r\nAugust 7, 2024: The advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors\r\nto “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware.\r\n“Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content\r\nare noted.\r\nAugust 14, 2024: The STIX files from the previous update (08/07/2024) were refreshed.\r\nAugust 27, 2024: The STIX files from the (08/19/2024) update were refreshed.\r\n(New August 7, 2024) The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency\r\n(CISA) are releasing this joint advisory to disseminate known BlackSuit ransomware IOCs and TTPs identified through FBI\r\nthreat response activities and third-party reporting as recently as of July 2024. BlackSuit ransomware is the evolution of the\r\nransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June\r\n2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities. \r\n(Updated August 7, 2024) BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim\r\ndata to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by\r\nBlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate\r\nlarge amounts of data before ultimately deploying the ransomware and encrypting the systems. \r\n(Updated August 7, 2024) Ransom demands have typically ranged from approximately $1 million to $10 million USD, with\r\npayment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual\r\nransom demand was $60 million. BlackSuit actors have exhibited a willingness to negotiate payment amounts. Ransom\r\namounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL\r\n(reachable through the Tor browser) provided after encryption. Recently, an uptick was observed in the number of instances\r\nwhere victims received telephonic or email communications from BlackSuit actors regarding the compromise and ransom.\r\nBlackSuit uses a leak site to publish victim data based on non-payment.\r\nFBI and CISA encourage organizations to implement the recommendations found in the Mitigations section of this CSA to\r\nreduce the likelihood and impact of ransomware incidents.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 15. See the MITRE ATT\u0026CK\r\nTactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK tactics and techniques.\r\nFor assistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE\r\nATT\u0026CK’s Best Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nInitial Access\r\nBlackSuit uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a\r\nfile to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade\r\ndetection, and also significantly improves ransomware speed.[1 ] In addition to encrypting files, BlackSuit actors also\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 1 of 18\n\nengage in double extortion tactics in which they threaten to publicly release the exfiltrated data if the victim does not pay the\r\nransom.\r\nBlackSuit actors gain initial access to victim networks in several ways, including:\r\nPhishing. According to third-party reporting, BlackSuit actors most commonly gain initial access to victim networks\r\nvia phishing emails [T1566 ].\r\nAccording to open source reporting, victims have unknowingly installed malware that delivers BlackSuit\r\nransomware after receiving phishing emails containing malicious PDF documents [T1566.001 ] and\r\nmalvertising [T1566.002 ].[2 ]\r\nRemote Desktop Protocol (RDP). The second most common vector (around 13.3% of incidents) BlackSuit actors\r\nuse for initial access is RDP compromise [T1021.001 ].\r\nPublic-facing applications. FBI has observed BlackSuit actors gain initial access through exploiting vulnerable\r\npublic-facing applications [T1190 ].\r\nBrokers. Reports from trusted third-party sources indicate that BlackSuit actors may leverage initial access brokers\r\nto gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs\r\n[T1650 ].\r\nCommand and Control\r\nOnce BlackSuit actors gain access to a network, they communicate with command and control (C2) infrastructure and\r\ndownload multiple tools [T1105 ]. Legitimate Windows software is repurposed by BlackSuit actors to strengthen their\r\nfoothold within the victim’s network. Ransomware operators often use open source projects to aid their intrusion activities.\r\nHistorically, Royal actors were observed leveraging  Chisel , Secure Shell (SSH) client, PuTTY, OpenSSH, and\r\nMobaXterm [T1572 ], to communicate with their C2 infrastructure.\r\nLateral Movement and Persistence\r\n(Updated August 7, 2024) Historically, Royal threat actors used RDP and legitimate operating system (OS) diagnostic tools\r\nto move laterally across a network [T1021.001 ]. BlackSuit actors used RDP and PsExec as well but also use SMB\r\n[T1021.001 ] to move laterally. In one confirmed case, BlackSuit actors used a legitimate admin account [T1078 ] to\r\nremotely log on to the domain controller via SMB. Once on the domain controller, the threat actor deactivated antivirus\r\nsoftware [T1562.001 ] by modifying Group Policy Objects [T1484.001 ].\r\n(Updated August 7, 2024) FBI observed BlackSuit actors using legitimate remote monitoring and management (RMM)\r\nsoftware to maintain persistence in victim networks [T1133] . \r\n(New August 7, 2024) BlackSuit actors use SystemBC and Gootloader malware to load additional tools and maintain\r\npersistence.\r\nDiscovery and Credential Access\r\n(New August 7, 2024) BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate\r\nvictim networks. The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have\r\nalso been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes.\r\nExfiltration\r\nBlackSuit actors exfiltrate data from victim networks by repurposing legitimate cyber penetration testing tools, such\r\nas Cobalt Strike , and malware tools/derivatives, such as Ursnif /Gozi, for data aggregation and exfiltration. According to\r\nthird-party reporting, BlackSuit actors’ first hop in exfiltration and other operations is usually a U.S. IP address. \r\n(New August 7, 2024) BlackSuit actors also use RClone and Brute Ratel for exfiltration.\r\nEncryption\r\nBefore starting the encryption process, BlackSuit actors:\r\nUse Windows Restart Manager to determine whether targeted files are currently in use or blocked by other\r\napplications [T1486 ].[1 ]\r\nUse Windows Volume Shadow Copy service ( vssadmin.exe ) to delete shadow copies to inhibit system recovery.[1\r\n]\r\nFBI has found numerous batch ( .bat ) files on impacted systems which are typically transferred as an encrypted 7zip file.\r\nBatch files create a new admin user [T1078.002 ], force a group policy update, set pertinent registry keys to auto-extract\r\n[T1119 ] and execute the ransomware, monitor the encryption process, and delete files upon completion—including\r\nApplication, System, and Security event logs [T1070.001 ]. Registry Keys created can be modified and deleted to enable\r\npersistence on the victim’s system. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 2 of 18\n\nMalicious files have been found in victim networks in the following directories:\r\nC:\\Temp\\\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\\r\nC:\\Users\\\u003cusers\u003e\\\r\nC:\\ProgramData\\\r\nRoot C:\\ directory has also served as a storage location for malicious files. BlackSuit actors have been observed using\r\nlegitimate software and open source tools during ransomware operations.\r\nIndicators of Compromise (IOCs)\r\nSee Table 1 through Table 5 for Royal ransomware IOCs obtained by FBI during threat response activities as of January\r\n2023.\r\n(New November 13, 2023) See Table 6 and Table 7 for Royal and BlackSuit Ransomware IOCs as of June 2023. See Table\r\n8 for a list of legitimate software used by Royal and BlackSuit threat actors identified through FBI investigations as of June\r\n2023.\r\n(New August 7, 2024) See Table 9 through Table 15 for BlackSuit ransomware IOCs obtained by FBI during threat\r\nresponse activities as of July 2024 and Figure 1 for a sample ransom note.\r\nDisclaimer: Some of the observed IP addresses are several years old. FBI and CISA recommend vetting or investigating\r\nthese IP addresses prior to taking forward-looking action, such as blocking.\r\nRoyal IOCs as of January 2023\r\nTable 1: Royal Ransomware Associated Files as of January 2023\r\nIOC Description\r\n.royal Encrypted file extension\r\nREADME.TXT Ransom note\r\nTable 2: Royal Ransomware Associated IP addresses as of January 2023\r\nMalicious IP Last Observed Activity\r\n102.157.44[.]105 November 2022\r\n105.158.118[.]241 November 2022\r\n105.69.155[.]85 November 2022\r\n113.169.187[.]159 November 2022\r\n134.35.9[.]209 November 2022\r\n139.195.43[.]166 November 2022\r\n139.60.161[.]213 November 2022\r\n148.213.109[.]165 November 2022\r\n163.182.177[.]80 November 2022\r\n181.141.3[.]126 November 2022\r\n181.164.194[.]228 November 2022\r\n185.143.223[.]69 November 2022\r\n186.64.67[.]6 November 2022\r\n186.86.212[.]138 November 2022\r\n190.193.180[.]228 November 2022\r\n196.70.77[.]11 November 2022\r\n197.11.134[.]255 November 2022\r\n197.158.89[.]85 November 2022\r\n197.204.247[.]7 November 2022\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 3 of 18\n\nMalicious IP Last Observed Activity\r\n197.207.181[.]147 November 2022\r\n197.207.218[.]27 November 2022\r\n197.94.67[.]207 November 2022\r\n23.111.114[.]52 November 2022\r\n41.100.55[.]97 November 2022\r\n41.107.77[.]67 November 2022\r\n41.109.11[.]80 November 2022\r\n41.251.121[.]35 November 2022\r\n41.97.65[.]51 November 2022\r\n42.189.12[.]36 November 2022\r\n45.227.251[.]167 November 2022\r\n5.44.42[.]20 November 2022\r\n61.166.221[.]46 November 2022\r\n68.83.169[.]91 November 2022\r\n81.184.181[.]215 November 2022\r\n82.12.196[.]197 November 2022\r\n98.143.70[.]147 November 2022\r\n140.82.48[.]158 December 2022\r\n147.135.36[.]162 December 2022\r\n147.135.11[.]223 December 2022\r\n152.89.247[.]50 December 2022\r\n172.64.80[.]1 December 2022\r\n179.43.167[.]10 December 2022\r\n185.7.214[.]218 December 2022\r\n193.149.176[.]157 December 2022\r\n193.235.146[.]104 December 2022\r\n209.141.36[.]116 December 2022\r\n45.61.136[.]47 December 2022\r\n45.8.158[.]104 December 2022\r\n5.181.234[.]58 December 2022\r\n5.188.86[.]195 December 2022\r\n77.73.133[.]84 December 2022\r\n89.108.65[.]136 December 2022\r\n94.232.41[.]105 December 2022\r\n47.87.229[.]39 January 2023\r\nTable 3: Royal Ransomware Associated Domains as of January 2023\r\nMalicious Domain Last Observed Activity\r\nsombrat[.]com October 2022\r\ngororama[.]com November 2022\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 4 of 18\n\nMalicious Domain Last Observed Activity\r\nsofteruplive[.]com November 2022\r\naltocloudzone[.]live December 2022\r\nciborkumari[.]xyz December 2022\r\nmyappearinc[.]com December 2022\r\nparkerpublic[.]com December 2022\r\npastebin.mozilla[.]org/Z54Vudf9/raw December 2022\r\ntumbleproperty[.]com December 2022\r\nmyappearinc[.]com/acquire/draft/c7lh0s5jv January 2023\r\nTable 4: Tools Used by Royal Operators\r\nTool SHA256\r\nAV tamper 8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375\r\nTCP/UDP Tunnel\r\nover HTTP (Chisel)\r\n8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451\r\nUrsnif/Gozi be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1\r\nExfil B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20\r\nRemote Access\r\n(AnyDesk)\r\n4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7\r\nPowerShell Toolkit\r\nDownloader\r\n4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce\r\nPsExec (Microsoft\r\nSysinternals)\r\n08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c\r\nKeep Host Unlocked\r\n(Don’t Sleep)\r\nf8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee\r\nRansomware\r\nExecutable\r\nd47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681\r\nWindows Command\r\nLine (NirCmd)\r\n216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5\r\nSystem Management\r\n(NSudo)\r\n19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618\r\nAV tamper 8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375\r\nTCP/UDP Tunnel\r\nover HTTP (Chisel)\r\n8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451\r\nUrsnif/Gozi be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1\r\nExfil B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20\r\nRemote Access\r\n(AnyDesk)\r\n4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7\r\nPowerShell Toolkit\r\nDownloader\r\n4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce\r\nPsExec (Microsoft\r\nSysinternals)\r\n08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c\r\nKeep Host Unlocked\r\n(Don’t Sleep)\r\nf8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee\r\nRansomware\r\nExecutable\r\nd47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 5 of 18\n\nTool SHA256\r\nWindows Command\r\nLine (NirCmd)\r\n216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5\r\nSystem Management\r\n(NSudo)\r\n19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618\r\nTable 5: Batch Script Tools Used by Royal Operators\r\nFile name Hash Value\r\n2.bat 585b05b290d241a249af93b1896a9474128da969\r\n3.bat 41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d\r\n4.bat a84ed0f3c46b01d66510ccc9b1fc1e07af005c60\r\n8.bat c96154690f60a8e1f2271242e458029014ffe30a\r\nkl.bat 65dc04f3f75deb3b287cca3138d9d0ec36b8bea0\r\ngp.bat 82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58\r\nr.bat 74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c\r\nrunanddelete.bat 342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE\r\nRoyal and BlackSuit IOCs as of June 2023 (New November 13, 2023)\r\nTable 6: Royal Ransomware Associated Files, Tools, and Hashes as of June 2023\r\nName Description or SHA 256 Hash Value\r\nC:\\Users\\Public\\conhost.exe client\r\n149.28.73.161:443\r\nR:149.28.73.161:43657:socks\r\nExecuted on the victim’s machine, uses a Chisel client to tunnel traffic\r\nthrough port 443 instead of port 43657.\r\nroyal_w Encryption extension\r\n%PROGRAMDATA% Ransomware Filepath\r\n%TEMP%\\execute.bat  \r\nInstallerV20.8.msi  \r\nwindows_encryptor.exe 85087f28a84205e344d7e8e06979e6622fab0cfe1759fd24e38cd0390bca5fa6\r\n%PROGRAMDATA%\\wine.exe 5b08c02c141eab94a40b56240a26cab7ff07e9a6e760dfde8b8b053a3526f0e6\r\n%USERPROFILE%\\Downloads\\run1.bat bc609cf53dde126b766d35b5bcf0a530c24d91fe23633dad6c2c59fd1843f781\r\n%USERPROFILE%\\Downloads\\run2.bat 13c25164791d3436cf2efbc410caec6b6dd6978d7e83c4766917630e24e1af10\r\n%USERPROFILE%\\Downloads\\run3.bat 2b93206d7a36cccdf7d7596b90ead301b2ff7e9a96359f39b6ba31bb13d11f45\r\n%USERPROFILE%\\Downloads\\run4.bat 84e1efbed6bb7720caea6720a8bff7cd93b5d42fb1d71ef8031bfd3897ed4435\r\n%USERPROFILE%\\Downloads\\sc.bat e0dbe3a2d07ee10731b68a142c65db077cfb88e5ec5c8415e548d3ede40e7ffc\r\n%USERPROFILE%\\Downloads\\sr.bat 34a98f2b54ebab999f218b0990665485eb2bb74babdf7e714cc10a306616b00c\r\nrunanddelete.bat 342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee\r\nscripttodo.ps1 (94.232.41.105) 4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce\r\ndontsleep.exe f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee\r\nwstart.exe d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681\r\nInstallerV8.1.ms 3e6e2e0de75896033d91dfd07550c478590ca4cd4598004d9e19246e8a09cb97\r\nshutdowni.bat 8a983042278bc5897dbcdd54d1d7e3143f8b7ead553b5a4713e30deffda16375\r\nf827.exe 5654f32a4f0f2e900a35761e8caf7ef0c50ee7800e0a3b19354b571bc6876f61\r\nd2ef5.exe be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1\r\nf24dc8ea.msi 91605641a4c7e859b7071a9841d1cd154b9027e6a58c20ec4cadafeaf47c9055\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 6 of 18\n\nName Description or SHA 256 Hash Value\r\ndefw10.bat fb638dba20e5fec72f5501d7e0627b302834ec5eaf331dd999763ee925cbc0f9\r\nll.exe f0197bd7ccd568c523df9c7d9afcbac222f14d344312322c04c92e7968859726\r\nRoyal Ransomware Hash b987f738a1e185f71e358b02cafa5fe56a4e3457df3b587d6b40e9c9de1da410\r\nb34v2.dll a51b1f1f0636bff199c0f87e2bb300d42e06698b\r\n1.exe d93f1ef533e6b8c95330ba0962e3670eaf94a026\r\n34.dll 9e19afc15c5781e8a89a75607578760aabad8e65\r\nll.exe 9a92b147cad814bfbd4632b6034b8abf8d84b1a5\r\nRoyal Ransomware Hash a4ef01d55e55cebdd37ba71c28b0c448a9c833c0\r\nTable 7: BlackSuit Ransomware Associated Files, Tools, and Hashes as of June 2023\r\nIP Address  MD5 Hash Value\r\nsys32.exe 30cc7724be4a09d5bcd9254197af05e9fab76455\r\nesxi_encryptor 861793c4e0d4a92844994b640cc6bc3e20944a73\r\nBlackSuit threat actors have been observed using legitimate software and open source tools during ransomware operations.\r\nThreat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as\r\nSecure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections. The publicly available credential\r\nstealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Legitimate\r\nRMM tools have also been observed as backdoor access vectors. Some legitimate software and open source tools can be\r\nfound in Table 8.\r\nTable 8: Legitimate Files and Tools Used by Royal and BlackSuit Ransomware\r\nName Description or SHA 256 Hash Value\r\nC:\\Program Files\\OpenSSH\\ssh-agent.exe\r\nC:\\Program Files\\OpenSSH\\sshd.exe\r\nSSH Client\r\n%USERPROFILE%\\Downloads\\WinRAR.exe Compression tool\r\n%APPDATA%\\MobaXterm\\ Toolbox for remote computing\r\n\\Program Files (x86)\\Mobatek\\ Toolbox for remote computing\r\n\\Program Files (x86)\\Mobatek\\MobaXterm\\ Toolbox for remote computing\r\nb34v2.dll ColbaltStrike Beacon\r\n34.dll CobaltStrike Beacon\r\nmimikatz.exe Mimikatz credential harvester\r\ndialuppass.exe Nirsoft password harvesting utility\r\niepv.exe Nirsoft password harvesting utility\r\nmailpv.exe Nirsoft password harvesting utility\r\nnetpass.exe Nirsoft password harvesting utility\r\nrouterpassview.exe Nirsoft password harvesting utility\r\nAdFind.exe ADFind tool\r\nLogMeIn Remote access tool\r\nAtera Remote access tool\r\nC:\\Program Files\\Eraser\\Eraser.exe Anti-Forensics Tool used by TA\r\nadvanced_ip_scanner.exe Reconnaissance Tool used by TA\r\nconhost.exe (chisel_windows_1_7_7.exe) b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 7 of 18\n\nName Description or SHA 256 Hash Value\r\n%USERPROFILE%\\Downloads\\svvhost.exe\r\n\\Users\\Administrator\\AppData\\Local\\Temp\\cloudflared.exe\r\nc429719a45ca14f52513fe55320ebc49433c729a0d2223479d9d43597eab39fa\r\nnircmd.exe 216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5\r\nnsudo.exe 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618\r\nIOCs as of July 2024 (New August 7, 2024)\r\nDisclaimer: Several of these observed IP addresses were first observed as early as 2023, although the most recent are from\r\nJuly of 2024 and have been historically linked to BlackSuit (formerly known as Royal) Ransomware. IP addresses in this\r\nadvisory were maliciously used during the time range highlighted below, and may have been used for legitimate purposes\r\noutside of that time span. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to\r\ntaking action, such as blocking.\r\nTable 9: Malicious URL (s) associated with BlackSuit Ransomware\r\nURL Association Malicious URLs\r\nURLs from malicious PowerShell on P0, potentially\r\ndebug.ps1\r\nhttps://1tvnews[.]af/xmlrpc.php\r\nhttps://avpvuurwerk[.]nl/xmlrpc.php\r\nhttps://beautyhabits[.]gr/xmlrpc.php\r\nhttps://interpolyaris[.]ru/xmlrpc.php\r\nhttps://libertygospeltracts[.]com/xmlrpc.php\r\nhttps://oldtimertreffen-rethem[.]de/xmlrpc.php\r\nhttps://parencyivf[.]com/xmlrpc.php\r\nhttps://pikaluna[.]com/xmlrpc.php\r\nhttps://stroeck[.]at/xmlrpc.php\r\nURL associated to BRC4 / Brute Ratel megupdate[.]com\r\nURLs associated to Exfiltration mystuff[.]bublup[.]com \r\nURL associated to Cobalt Strike C2\r\nprovincial-gaiters-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io\r\nURL associated to Initial Access Download zoommanager[.]com\r\nTable 10: BlackSuit Ransomware Associated Files and Hash Values\r\nFilename Hash Value – SHA-256 D\r\n1.exe af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61 E\r\nPowerTool64.exe   H\r\naaa.exe C4A2227CD8D85128EAFEF8EE2298AA105DA892C8B0F37405667C2D1647C35C46 E\r\n aaa.exe 8d16a23d5a5630502b09c33fbc571d2261c6c98fecc3a79a1e1129354f930d0a  \r\nWen.exe 01ce9cfebb29596d0ab7c99e8dbadf1a8409750b183e6bf73e0de021b365be13  \r\netmc.exe a0a4a99948e12309f54911264261d96f0e40d5fd695bab82e95fbc1f9024482e  \r\nsvchost.exe 9bbc9784ce3c818a127debfe710ec6ce21e7c9dd0daf4e30b8506a6dba533db4\r\nD\r\nv\r\nlocker_N1uYkmEsfoHmT4lK66trUjBuy5gyAj7n.ex_ 146335b1be627318ac09476f0c8f8e6e027805e6077673f72d6dce1677a24c78  \r\nsocks32.exe 9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300  \r\nC:\\users\\Administrator\\AppData\\Local\\msa.ps1   S\r\n%APPDATA%\\ Zoom\\Alternative Workplace\r\nStrategies.js\r\nE813F8FAF3AA2EB20E285596413F5088B2D7FD153FE9F72F3FF45735D0FDDCED G\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 8 of 18\n\nFilename Hash Value – SHA-256 D\r\nC:\\Users\\Public\\socks.ps1 25A6F82936134A6C5C0066F382530B9D6BF2C8DA6FEAFE028F166B1A9D7283CF P\r\nHKEY_USERS\\S-1-5-\r\n18\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n(Value == socks_powershell)\r\n  E\r\nshare$.zip e3d7c012040962acd66f395d1c5c5f73f305aa1058f2111e8e37d9cb213b80c4\r\nC\r\na\r\n(\r\nd\r\nsocss.exe C798B2690C5F16EB2917A679AF3117CFE9C7060FA8BC84FFC3159338EF33508E M\r\nqq.exe 3c8c1b1f53e0767b7291bb1ae605ffa62a93e9c8cc783e4ca47ac84b48320d59  \r\ngomer.exe  \r\nA\r\nf\r\n288-csrss.exe ee6ec2810910c6d2a2957f041edd1e39dca4266a1cc8009ae6d7315aba9196f5  \r\n372-winlogon.exe 68c57daed0e5899c49b827042bcf3bbeba33b524bd83315a44d889721664dc34  \r\n776-svchost.exe  bbb7404419f91f82cedfec915931a9339f04165b27d8878d63827c9ee421ed62  \r\nExe.exe, aaaa.exe, qq.exe 338228a3e79f3993abc102cbac2ff253c84965213d59ac30892538cdd9b0a22b R\r\nMwntv.sys 6332f189cc71df646ff0f1b9b02a005c9ebda3fe7b9712976660746913b030de P\r\nUn_A.exe   M\r\nd\r\nUn_B.erxe   M\r\nd\r\nTable 11: Batch Script Tools Used by BlackSuit Ransomware Operators and Hash Values\r\nFilename Description Hash Value – SHA-256\r\n2.bat\r\nBatch Script\r\nto copy and\r\nexecute\r\nencryptor\r\n3041dfc13f356c2f0133a9c11a258f87cb7de1e17bc435e9b623d74bc5e1c6be\r\nC:\\share$\\_EXEC.bat\r\nExecute\r\nencrypter\r\n8F87A1542EE790623896BBAAB933D1883484DE02A7B3D65D6C791D50173A923D\r\nfstart.bat\r\nA batch script\r\nused to enable\r\nremote\r\nservices,\r\nperform anti-forensics, and\r\nenable clear-text passwords\r\nin memory\r\n \r\nNLA.bat\r\nA batch script\r\nused to\r\ndisable\r\nNetwork\r\nLevel\r\nAuthentication\r\n(NLA) for\r\nRemote\r\nDesktop\r\nServices\r\n(RDS)\r\n \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 9 of 18\n\nFilename Description Hash Value – SHA-256\r\nav.bat\r\nA batch script\r\nthat searches\r\nfor presence\r\nof an\r\napplication\r\nand uninstalls\r\nit\r\n \r\nsysteminfo.bat\r\nA batch script\r\nused for\r\nsystem\r\nenumeration\r\n \r\nmv.bat\r\nA batch script\r\nused to move\r\nthe PsExec\r\nexecutable\r\nand delete the\r\nnetscan\r\nexecutable\r\n \r\nTable 12: IP addresses from BlackSuit Ransomware Deployments (from November 2023 to July 2024)\r\nIP Address \r\nTime Range\r\nof Use\r\nDescription \r\n143[.]244[.]146[.]183:443 May 2024 Unknown C2 – potential SOCKS Proxy\r\n45[.]141[.]87[.]218:9000 May 2024 Arechclient2 Backdoor/SecTopRAT\r\n45[.]141[.]87[.]218:443 May 2024 Arechclient2 Backdoor/SecTopRAT\r\n184.174.96[.]16 May 2024 Associated with download of the binary vm.dll\r\n89.251.22[.]32 May 2024 Cobalt Strike\r\n135.148.67[.]84 May 2024 Resolves to domain turnovercheck[.]com\r\n180.131.145[.]85 May 2024 Associated with malicious PowerShell execution\r\n180.131.145[.]61 May 2024 SystemBC Command \u0026 Control\r\n138.199.53[.]226 Feb 2024  \r\n184.166.211[.]74 Feb 2024  \r\n185.190.24[.]103 Feb 2024  \r\n5.181.234[.]58 Feb 2024  \r\n137.220.61[.]94\r\nNov – Feb\r\n2024\r\nconnecting outbound from Socss.exe\r\n193.37.69[.]116\r\nNov – Jan\r\n2024\r\nAssociated with exfiltration\r\n144.202.120[.]122 Nov 2023\r\nsocks1.ps1 backdoor; SystemBC Backdoor C2; www.recruitment-interview[.]org (C2 SystemBC)\r\n104.21.58[.]219:443 Nov 2023 Cobalt Strike\r\n141.98.80[.]181:80 Nov 2023 Cobalt Strike\r\n144.202.120[.]122:433 Nov 2023 PowerShell Reverse Proxy\r\n155.138.150[.]236:8088 Nov 2023 PowerShell Reverse Proxy\r\n140.82.18[.]48 Nov 2023  \r\n141.98.80[.]181 Nov 2023  \r\n44.202.120[.]122 Nov 2023  \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 10 of 18\n\nIP Address \r\nTime Range\r\nof Use\r\nDescription \r\n45.76.225[.]156 Nov 2023  \r\nTable 13: Legitimate Files and Tools Used by Black Suit Ransomware (1 of 3)\r\nFile name Hash Value – SHA-256 Description\r\nshare.exe f02af8ffc37d1874b971307fdec80e33e583b56d9ebabda78a4b8ad038bc3bf0 Cobalt Strike\r\n181.exe b028eaa0ec452c6844881dc34be813834813a40591b89ea9a57dd4fb4084e477\r\nCobalt Strike –\r\nFile name \r\n222wqc.exe ae724dce252c7b05a84bc264993172cf86950d22744b5e3a1b15ba645d9d3733 Cobalt Strike\r\ngmer.exe  \r\nGMER / Rootkit\r\nHunter\r\nPowerTool64.exe  \r\nPowerTool64 for\r\nhacking\r\nPsexesvc.exe 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 Sysinternals\r\nSocks5.ps1\r\nSocks.ps1\r\n25a6f82936134a6c5c0066f382530b9d6bf2c8da6feafe028f166b1a9d7283cf\r\nPowerShell\r\nReverse Proxy\r\nnetscan.exe  \r\nA network\r\nreconnaissance\r\ntool\r\n3iSDtcX.exe e87512ea12288acec611cf8e995c4ced3971d9e35c0c5dcfd9ee17c9e3ed913d Putty suite\r\nFile.exe f805dafb3c0b7e18aa7d8c96db8e8d4e9301ff619622d1aecc8080e0ecd9ebbe\r\nPutty.exe .\r\nPossibly used for\r\nC2\r\nMwntv.sys 6332f189cc71df646ff0f1b9b02a005c9ebda3fe7b9712976660746913b030de\r\nPotential Tool\r\nIngress\r\nAnyDesk 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499\r\nPotential remote\r\naccess tool\r\nScreenConnect 420db40d26d309d3dba3245abb91207f1bca050530545a8048f856e5840d22a2\r\nPotential remote\r\naccess tool\r\nSharpShares.exe  \r\nEnumerate\r\nnetwork shares\r\nNetworx.exe  \r\nBandwidth\r\nutilization\r\nTable 14: Legitimate Files and Tools Used by Black Suit Ransomware (2 of 3)\r\nFilename Hash Value – SHA-1 Description\r\n181[.]exe 790d40cd16fb458bf99e3600bce29eca06d40b56 Cobalt Strike – Host name \r\nTable 15: Legitimate Files and Tools Used by Black Suit Ransomware (3 of 3)\r\nFilename File Path Description\r\nAnydesk.exe C:\\Program Files(x86)\\AnyDesk\\AnyDesk.exe\r\nRemote Monitoring and\r\nManagement (RMM) Tool\r\nehorus_display.exe\r\nC:\\Program\r\nFiles\\ehorus_agent\\ehorus_display\\ehorus_display.exe\r\nRMM Tool\r\nehorus_launcher.exe C:\\Program Files\\ehorus_agent\\ehorus_launcher.exe RMM Tool\r\nTable 16: Domain(s) associated to BlackSuit Ransomware\r\nDomain Name  Description\r\nAbbeymathiass[.]com Cobalt Strike C2\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 11 of 18\n\nDomain Name  Description\r\nMail.abbeymathiass[.]com Cobalt Strike C2\r\nStore.abbeymathiass[.]com Cobalt Strike C2\r\nhttps://file[.]io/ScPd1KcJTtxO Associated with download of the binary disabler.exe by threat actors\r\nMail.turnovercheck[.]com Cobalt Strike C2\r\nStore.turnovercheck[.]com Cobalt Strike C2\r\nturnovercheck[.]com Cobalt Strike C2\r\nHourlyprofitstore[.]com Cobalt Strike\r\nIPs and Domains for downloads / C2 /\r\nexfiltration of communication\r\nhttps://protect-us.mimecast[.]com/s/A2PyC31xN5IpzR0XUvzaAj?\r\ndomain=5.181.157.8\r\nhttps://protect-us.mimecast[.]com/s/CcsrC4xyO7fBK73ztjNfPl?\r\ndomain=5.181.234.58\r\nhttps://protect-us.mimecast[.]com/s/NwueC5yzP5IZLW4MulfSrc?\r\ndomain=137.220.61.94\r\nhttps://protect-us.mimecast[.]com/s/T3InC2kwM5hpzEOVU9S5zn?\r\ndomain=147.135.36.162\r\nhttps://protect-us.mimecast[.]com/s/teBrC1wvL8iMNE56tXga0n?\r\ndomain=147.135.11.223\r\nTable 17: BlackSuit Ransomware Note and Hash Value\r\nFile Name Hash Value Description \r\nreadme.BlackSuit.txt 1743494f803bbcbd11150a4a8b7a2c5faba1223da607f67d24b18ca2d95d5ba3\r\nRansomware\r\nnote\r\nRansom Note (New August 7, 2024)\r\nFigure 1 shows the observed BlackSuit ransom notes delivered to victims.\r\nFigure 1. BlackSuit Ransom Note\r\nYour safety service did a really poor job of protecting your files against our professionals.\r\nExtortioner named BlackSuit has attacked your system.\r\nAs a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web\r\ninto the public realm.\r\nNow we have all your files like: financial reports, intellectual property, accounting, law actions and complaints, personal\r\nfiles and so on and so forth. \r\nWe are able to solve this problem in one touch.\r\nWe (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to make a deal with us.\r\nYou have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite\r\nsmall compensation.\r\nYou can have a safety review of your systems.\r\nAll your files will be decrypted, your data will be reset, your systems will stay in safe.\r\nContact us through TOR browser using the link:\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 18 through Table 23 for all referenced threat actor tactics and techniques in this advisory, as well as\r\ncorresponding detection and/or mitigation recommendations. For additional mitigations, see the Mitigations section.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 12 of 18\n\nTable 18: BlackSuit Actors ATT\u0026CK Techniques for Resource Development\r\nTechnique Title ID Use\r\nAcquire Access T1650 BlackSuit actors may leverage brokers in support of gaining initial access.\r\nTable 19: Cyber Threat Actors ATT\u0026CK Techniques for Initial Access\r\nTechnique Title ID Use\r\nRemote Services: Remote\r\nDesktop Protocol\r\nT1021.001 BlacSuit actors use RDP compromise as secondary initial access\r\nvector.\r\nExternal Remote Services T1133\r\nBlackSuit actors gain initial access through a variety of RMM\r\nsoftware.\r\nExploit Public Facing Application T1190\r\nBlackSuit actors gain initial access through public-facing\r\napplications.\r\nPhishing T1566\r\nBlackSuit actors most commonly gain initial access to victim\r\nnetworks via phishing. \r\nPhishing: Spear phishing\r\nAttachment\r\nT1566.001 BlackSuit actors used malicious PDF document attachments in\r\nphishing campaigns.\r\nPhishing: Spear phishing Link\r\nT1566.002 The actors gain initial access using malvertising links via emails\r\nand public-facing sites.\r\nTable 20: Cyber Threat Actors ATT\u0026CK Techniques for Privilege Escalation\r\nTechnique Title  ID Use\r\n(New August 7, 2024) Valid\r\nAccounts\r\nT1078\r\nBlackSuit actors used a legitimate admin account to gain access\r\nprivileges to the domain controller.\r\nValid Accounts: Domain\r\nAccounts\r\nT1078.002 BlackSuit actors used encrypted files to create new admin user\r\naccounts.\r\nTable 21: Cyber Threat Actors ATT\u0026CK Techniques for Defense Evasion\r\nTechnique Title ID Use\r\nRemote Services: Remote Desktop\r\nProtocol\r\nT1021.001 BlackSuit actors used valid accounts to move laterally\r\nthrough the domain controller using RDP.\r\nIndicator Removal: Clear Windows\r\nEvent Logs\r\nT1070.001 BlackSuit actors deleted shadow files and system and\r\nsecurity logs after exfiltration.\r\nAutomated Collection T1119\r\nBlackSuit actors used registry keys to auto-extract and collect\r\nfiles.\r\nDomain Policy Modification: Group\r\nPolicy Modification\r\nT1484.001 BlackSuit actors modified Group Policy Objects to subvert\r\nantivirus protocols.\r\nImpair Defenses: Disable or Modify\r\nTools\r\nT1562.001\r\nBlackSuit actors deactivated antivirus protocols.\r\nTable 22: Cyber Threat Actors ATT\u0026CK Techniques for Command and Control\r\nTechnique Title ID Use\r\nIngress Tool\r\nTransfer\r\nT1105\r\nBlackSuit actors used C2 infrastructure to download multiple tools.\r\nProtocol Tunneling\r\nT1572 BlackSuit actors used an encrypted SSH tunnel to communicate within C2\r\ninfrastructure.\r\nTable 23: Cyber Threat Actors ATT\u0026CK Techniques for Impact\r\nTechnique Title ID Use\r\nData Encrypted for\r\nImpact\r\nT1486 BlackSuit actors encrypted data to determine which files were being used or\r\nblocked by other applications.\r\nDetection Methods\r\n(New August 7, 2024) Please reference YARA rule below to aid in detecting BlackSuit activity. Note: The YARA rule is\r\nderived from FBI investigations and is not guaranteed to detect confirmed malicious activity.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 13 of 18\n\nprivate rule is_executable {\r\n    condition:\r\n        uint32(uint32(0x3C)) == 0x00004550\r\n}\r\nrule obfuscates_dlls {\r\n            strings:\r\n                                    // Code for unscrambling names of true DLL imports\r\n                        $code_load_obfuscated = {\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                            c6 84 24 ?? 00 00 00 ??\r\n                                                                                                }\r\n                                    // c6 84 24 ?? 00 00 00 ??      | MOV byte ptr [ESP + ??], ??\r\n                                                $code_deobfuscate = { 99 f7 ?? 8d ?? ?? 99 f7 ?? 88}\r\n                                    // 99                                                     | CDQ\r\n                                    // f7 ??                                     | IDIV ??\r\n                                    // 8d ?? ??                                           | LEA ??, ??\r\n                                    // 99                                                     | CDQ\r\n                                    // f7 ??                                     | IDIV ??\r\n                                    // 88                                                     | MOV\r\n            condition:\r\n                        all of them\r\n}\r\nrule calls_rsa_function {\r\n            strings:\r\n                                                // Code for function calls using RSA key\r\n                        $code_rsa_function_1 = { 8d4c2410 6a?? 6a?? 51 6a?? 6a?? 6a?? 68???????? ffd0 }\r\n                                    // 8d 4c 24 10                          | LEA ECX, [esp + 0x10]\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 51                                                     | PUSH ECX\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 68 ?? ?? ?? ??                     | PUSH (address of RSA string)\r\n                                    // ff d0                                      | CALL EAX\r\n                                                $code_rsa_function_2 = { 8d4c2410 6a?? 6a?? 51 56 6a?? 6a?? 68???????? ffd0 }\r\n                                    // 8d 4c 24 10                          | LEA ECX, [esp + 0x10]\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 51                                                     | PUSH ECX\r\n                                    // 56                                                     | PUSH ESI\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 6a ??                                                | PUSH ??\r\n                                    // 68 ?? ?? ?? ??                     | PUSH (address of RSA string)\r\n                                    // ff d0                                      | CALL EAX\r\n            condition:\r\n                        any of them\r\n}\r\nrule xor_decoder_functions {\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 14 of 18\n\nstrings:\r\n                                    // Functions 402e00 and 402f00 both appear to contain a xor-decoding loop\r\n                                                // 402e00\r\n                        $code_xor_loop_1 = { 0f a4 ce ?? 0f ac d5 ?? c1 e1 ?? c1 ea ?? 0b cd 0b f2 99 33 c8 }\r\n                                    // 0f a4 ce ??                           | SHLD ESI, param_1, ??\r\n                                    // 0f ac d5 ??                           | SHRD EBP, EDX, ??\r\n                                    // c1 e1 ??                                           | SHL param_1, ??\r\n                                    // c1 ea ??                                           | SHR EDX, 0x19\r\n                                    // 0b cd                                                | OR param_1, EBP\r\n                                    // 0b f2                                     | OR ESI, EDX\r\n                                    // 99                                                     | CDQ\r\n                                    // 33 c8                                                | XOR param_1, EAX\r\n                                                // 402f00\r\n                        $code_xor_loop_2 = { 0f a4 ce ?? c1 ea ?? 0b f2 c1 e1 ?? 0b c8 0f be c3 8a 1f 99 33 c8 }\r\n                                    // 0f a4 ce ??                           | SHLD ESI, param_1, ??\r\n                                    // c1 ea ??                                           | SHR EDX, ??\r\n                                    // 0b f2                                     | OR ESI, EDX\r\n                                    // c1 e1 ??                                           | SHL, param_1, ??\r\n                                    // 0b c8                                                | OR param_1, EDX\r\n                                    // 0f be c3                                            | MOVSX EAX, BL\r\n                                    // 8a 1f                                     | BL, byte ptr [EDI]\r\n                                    // 99                                                     | CDQ\r\n                                    // 33 c8                                                | XOR param_1, EAX\r\n                        condition:\r\n                any of them\r\n}\r\nrule win_BlackSuit_manual {\r\n    meta:\r\n        author = \"CVH - Raleigh\"\r\n        date = \"2024-07-12\"\r\n        version = \"1\"\r\n        description = \"Detects win.BlackSuit. Rules were manually constructed and results should not be considered\r\nconclusive.\"\r\n        malpedia_reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.BlackSuit\"\r\n    strings:\r\n                        // Somehow keeps this in plaintext, although in UTF-16\r\n                        $string_readme = \"readme.BlackSuit.txt\" nocase wide ascii\r\n                                                // RSA key for encrypting AES encryption key present in plaintext\r\n                        $string_rsa_key = \"BEGIN RSA PUBLIC KEY\" nocase wide ascii\r\n                                                // Unusual debug strings\r\n                        $string_debug_1 = \".rdata$voltmd\"\r\n                        $string_debug_2 = \".rdata$zzzdbg\"\r\n                                                // Relevant functions calls\r\n                        $import_1 = \"MultiByteToWideChar\"\r\n                        $import_2 = \"EnterCriticalSection\"\r\n                        $import_3 = \"GetProcessHeap\"\r\n                                                                            condition:\r\n                (is_executable and $string_readme)\r\n                                                Or\r\n                                    ($string_readme and\r\n                                                            (obfuscates_dlls or calls_rsa_function or xor_decoder_functions)\r\n                                                )\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 15 of 18\n\nor\r\n                                                            2 of (obfuscates_dlls, calls_rsa_function, xor_decoder_functions)\r\n                                                or\r\n                                                1 of (obfuscates_dlls, calls_rsa_function, xor_decoder_functions) and any of them\r\n            }\r\nMitigations\r\nNetwork Defenders\r\nThe FBI and CISA recommend network defenders implement the mitigations below to improve your organization’s\r\ncybersecurity posture based on BlackSuit actor’s activity. These mitigations align with the Cross-Sector Cybersecurity\r\nPerformance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs\r\nprovide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and\r\nNIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful\r\nthreats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more\r\ninformation on the CPGs, including additional recommended baseline protections.\r\nImplement a recovery planto maintain and retain multiple copies of sensitive or proprietary data and servers in a\r\nphysically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to\r\ncomply with National Institute for Standards and Technology (NIST) standards for developing and managing\r\npassword policies.\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length;\r\nStore passwords in hashed format using industry-recognized password managers;\r\nAdd password user “salts” to shared login credentials;\r\nAvoid reusing passwords;\r\nImplement multiple failed login attempt account lockouts;\r\nDisable password “hints;”\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password\r\nresets. Frequent password resets are more likely to result in users developing password “patterns” cyber\r\ncriminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nKeep all operating systems, software, and firmware up to date [CPG 1.E]. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize\r\npatching known exploited vulnerabilities in internet-facing systems.\r\nRequire Phishing-Resistant multifactor authentication to administrator accounts [CPG 2.H], and require\r\nstandard MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts\r\nthat access critical systems.\r\nSegment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting\r\nadversary lateral movement.\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a\r\nnetworking monitoring tool [CPG 3.A]. To aid in detecting the ransomware, implement a tool that logs and reports\r\nall network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools\r\nare particularly useful for detecting lateral connections as they have insight into common and uncommon network\r\nconnections for each host.\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nImplement Secure Logging Collection and Storage Practices [CPG 2.T]. Learn more on logging best practices\r\nby referencing CISA’s Logging Made Easy resources.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.\r\nAudit user accounts with administrative privileges and configure access controls according to the principle of least\r\nprivilege.\r\nDisable unused ports.\r\nImplement and Enforce Email Security Policies [CPG 2.M].\r\nDisable Macros by Default [CPG 2.N].\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nImplement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT)\r\naccess method provisions privileged access when needed and can support enforcement of the principle of least\r\nprivilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 16 of 18\n\nautomatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual\r\nusers may submit their requests through an automated process that grants them access to a specified system for a set\r\ntimeframe when they need to support the completion of a certain task.\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral movement often\r\ndepend on software utilities running from the command line. If threat actors are not able to run these tools, they will\r\nhave difficulty escalating privileges and/or moving laterally.\r\nMaintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this\r\npractice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure.\r\nSoftware Manufacturers\r\nThe above mitigations apply to enterprises and critical infrastructure organizations with on-premises or hybrid\r\nenvironments. Recognizing that insecure software is the root cause of the majority of these flaws and that the responsibility\r\nshould not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of\r\n\u003cidentified or exploited issues (e.g., misconfigurations, weak passwords, and other weaknesses identified and exploited\r\nthrough the assessment team)\u003e:\r\nEmbed security into product architecture throughout the entire software development lifecycle (SDLC).\r\nMandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in,\r\nfeature.\r\nThese mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and\r\nApproaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security\r\noutcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics,\r\nsoftware manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional\r\nresources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.\r\nFor more information on secure by design, see CISA’s Secure by Design webpage.\r\nValidate Security Controls\r\nIn addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization's\r\nsecurity program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory.\r\nThe FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the\r\nATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 18 – Table 23).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nThe FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure\r\noptimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nResources\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources\r\nand alerts.\r\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC)\r\nJoint Ransomware Guide.\r\nNote: The joint Ransomware Guide provides preparation, prevention, and mitigation best practices as well as a\r\nransomware response checklist.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nReporting\r\nYour organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after\r\nreviewing the information provided, your organization decides to provide information to the FBI, reporting must be\r\nconsistent with applicable state and federal laws.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 17 of 18\n\nThe FBI is interested in any information that can be shared, to include boundary logs showing communication to and from\r\nforeign IP addresses, a sample ransom note, communications with BlackSuit actors, Bitcoin wallet information, decryptor\r\nfiles, and/or a benign sample of an encrypted file.\r\nAdditional details of interest include: a targeted company point of contact, status, and scope of infection, estimated loss,\r\noperational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based\r\nindicators.\r\nThe FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered.\r\nFurthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to\r\nengage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have\r\ndecided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime\r\nComplain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations\r\nCenter (contact@mail.cisa.dhs.gov or by calling 1-844-Say-CISA (1-844-729-2472).\r\nDisclaimer\r\nYour organization has no obligation to respond or provide information in response to this product. If, after reviewing the\r\ninformation provided, your organization decides to provide information to the authoring agencies, it must do so consistent\r\nwith applicable state and federal law.\r\nThe information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any\r\ncommercial entity, product, company, or service, including any entities, products, or services linked within this document.\r\nAny reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.\r\nAcknowledgements\r\nThe DFIR Report contributed to this advisory.\r\nVersion History\r\nJanuary 31, 2023: Initial Release (Royal Ransomware)\r\nNovember 13, 2023: First Update (Royal Ransomware)\r\nAugust 7, 2024: Updated title from “Royal Ransomware” to “BlackSuit Ransomware”; updates noted throughout.\r\nAugust 14, 2024: Updated STIX files\r\nAugust 19, 2024: Updated STIX files\r\nAugust 27, 2024: Updated STIX files\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"
	],
	"report_names": [
		"aa23-061a"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434472,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86c16c78d56e912918a37d7129b9617aae166c85.pdf",
		"text": "https://archive.orkl.eu/86c16c78d56e912918a37d7129b9617aae166c85.txt",
		"img": "https://archive.orkl.eu/86c16c78d56e912918a37d7129b9617aae166c85.jpg"
	}
}