{
	"id": "c82c35f7-7d5f-4139-afb6-f77b02768294",
	"created_at": "2026-04-06T00:10:17.032942Z",
	"updated_at": "2026-04-10T03:20:26.857124Z",
	"deleted_at": null,
	"sha1_hash": "d674ca4e5db1bf8b504004b207a1ee8396a46aad",
	"title": "BlackSuit Attack Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59389,
	"plain_text": "BlackSuit Attack Analysis\r\nBy ReliaQuest Threat Research Team 28 May 2024\r\nPublished: 2024-05-28 · Archived: 2026-04-05 23:12:52 UTC\r\nKey Points:\r\nIn April 2024, ReliaQuest identified Kerberoasting in a customer’s environment that marked the onset of a\r\ncyber attack by the “BlackSuit” ransomware group. The attack led to the encryption of critical systems and\r\nthe exfiltration of sensitive data.\r\nSince May 2023, BlackSuit has successfully targeted US-based companies in critical sectors like education\r\nand industrial goods, employing varied methods to deploy its ransomware.\r\nAn investigation by the ReliaQuest Threat Research team identified BlackSuit leveraging PsExec for\r\nlateral movement, Kerberoasting, data exfiltration, and deployment of ransomware from a virtual machine.\r\nThis report examines the continued success of straightforward tactics, techniques, and procedures (TTPs),\r\nsuch as brute forcing, PsExec for lateral movement, and FTP for exfiltration, highlighting the efficacy of\r\nthese techniques and the challenges in mitigating them.\r\nIn April 2024, ReliaQuest detected Kerberoasting in a customer’s environment that marked the start of a BlackSuit\r\nransomware attack, culminating in the encryption of critical systems and the exfiltration of sensitive data.\r\nInvestigation yielded indicators of intrusion and intelligence about the adversary’s TTPs. The impacted\r\norganization operates in multiple regions and has historically struggled with asset inventory and endpoint visibility\r\ndue to its large number of devices and the breadth of deployments.\r\nThis report details the attack lifecycle, from the initial access achieved through an initial access broker brute-forcing a misconfigured VPN, the likely hand-off to the BlackSuit gang or affiliate, and the final encryption\r\nexecuted via Windows Management Instrumentation Command-line (WMIC). This report explores the adversary’s\r\nmethods and the critical vulnerabilities involved, reviews the defensive measures taken to mitigate the incident’s\r\nimpact, and highlights how automation in response and containment could have shifted the burden to the\r\nadversary during their breakout window. The report provides actionable insights for organizations to enhance their\r\nown defensive posture against similar ransomware threats.\r\nBlackSuit Overview\r\nSecurity researchers first observed the double-extortion ransomware group Blacksuit in May 2023. Multiple\r\ninvestigations, including one by the US Department of Health and Human Services, have noted similarities\r\nbetween BlackSuit and the “Royal” ransomware operation, which is reportedly a successor to the now-defunct\r\nConti ransomware gang. The group’s pedigree, varied malware deployment methods, and advanced encryption\r\nhttps://www.reliaquest.com/blog/blacksuit-attack-analysis/\r\nPage 1 of 5\n\nand system recovery processes indicate that BlackSuit’s operators are likely experienced and technically\r\nproficient.\r\nBlackSuit has named 53 organizations on its data-leak site since commencing operations. Its victims are largely\r\nUS-based but range in industry vertical; the group has targeted the education, industrial-goods-and-services, and\r\nconstruction sectors. This targeting pattern strongly suggests a financial motivation with a focus on critical sectors\r\nthat either have smaller cybersecurity budgets or a low tolerance for downtime, thereby increasing the likelihood\r\nof a successful attack or a speedy ransom payment.\r\nAttack Lifecycle\r\nThroughout this investigation, we observed BlackSuit favoring well-known and well-researched TTPs. The threat\r\nactor used tools like PsExec, remote desktop protocol (RDP), and Rubeus, which are all well represented in\r\nhistorical intrusion events. This reinforces the need for organizations to employ defense-in-depth strategies, which\r\ncan help shift the burden back to the attacker and force them to come up with new techniques to accomplish their\r\ngoal.\r\nInitial Access\r\nIn early April 2024, an unknown threat actor gained VPN access to the customer’s environment through a valid\r\naccount. Though there was incomplete authentication data from the VPN, it is highly likely the credentials were\r\nobtained via a brute-force attack or an external source like a former password dump.\r\nThe firewall was a non-primary VPN gateway at a disaster recovery site and was not configured to enforce MFA\r\nor certificate requirements, both of which were enforced for other firewalls, enabling the initial foothold.\r\nCentralized Configuration Management for Network Devices: Using centralized change management and\r\nversion control to deploy network device configurations instead of managing devices individually will cut down\r\non misconfigurations, and, when paired with an automated inventory mapping solution, will help to ensure there\r\nare no hidden misconfigured or legacy devices.\r\nLateral Movement\r\nOver the next week, the attacker moved laterally across several Windows workstations, primarily using PsExec, a\r\nremote administration tool that was already being used within the environment.\r\nThere was a three-day pause in activity after the last workstation-related event until the next significant step in the\r\nattack chain. This delay likely indicates that an initial access broker gained access to the target system and then\r\nsold it to the BlackSuit ransomware group—or an affiliate linked to the group—who conducted further malicious\r\nactivity.\r\nSince the affected devices did not forward event logs and because the organization lacked a robust endpoint\r\ndetection and response (EDR) tool, tracking lateral movement during the triage phase was difficult. Much of this\r\nactivity was revealed through later forensics.\r\nhttps://www.reliaquest.com/blog/blacksuit-attack-analysis/\r\nPage 2 of 5\n\nLogging for Workstations: Many organizations choose not to forward Windows logs from workstations because\r\nof ingest restrictions on existing SIEM licenses. It’s important for organizations to be aware of the risks when\r\nmaking this decision and to compensate if possible.\r\nFor example, install an EDR solution or configure a tiered network so that only privileged access workstations\r\n(PAWs) can access critical infrastructure, or that, at a minimum, critical infrastructure can only be accessed\r\nthrough a chokepoint where logging does exist.\r\nCredential Access\r\nApproximately ten days after initial access, BlackSuit used this newly gained account access to authenticate to a\r\nWindows server. The attacker then downloaded a custom payload that allowed them to load Rubeus, a toolkit for\r\nKerberos abuse, into PowerShell, rather than ingress a compiled binary. This process is similar to those of popular\r\noffensive toolkits like PowerSharpPack.\r\nIt’s possible that the threat actor pivoted to the Windows server directly from the VPN. However, because the\r\nWindows server was not forwarding logs, we were unable to confirm this. The adversary compromised more than\r\n20 users through Kerberoasting. One additional account, which was the only one with preauthentication disabled,\r\nwas compromised via AS-REP roasting.\r\nOne of the users compromised via Kerberoasting, “admin1,” was a domain administrator; the attacker used this\r\naccount to dump the NTDS.DIT file from several domain controllers via ntdsutil, leading to the compromise of\r\nthe forest.\r\nntdsutil \"ac in ntds\" \"ifm\" \"cr fu C:\\Users\\Public\" q q\r\nDisabling Weak Encryption: Kerberoasting is difficult to mitigate entirely because anyone can request a ticket-granting service (TGS) ticket for any service principal name (SPN) to crack offline. However, there are steps that\r\ncan be taken to put the burden on the adversary and make it an unattractive option.\r\nWe overwhelmingly see attackers use Kerberoasting by taking advantage of weak encryption support (specifically\r\nRC4) in conjunction with weak account passwords. Organizations should disable the ability to request weak\r\nencryption types, which is often more straightforward than retroactively enforcing password complexity.\r\nBefore disabling support for RC4 encryption types, it’s important to understand the current adoption of RC4.\r\nSearching for security event logs with Event ID 4769 logged by domain controllers that request encryption types\r\n0x17 or 0x18 is an effective way to get an initial footprint and determine whether a configuration change is\r\nneeded or if the OS itself doesn’t support stronger encryption (AES support began in Windows Server 2008 and\r\nWindows Vista).\r\nExfiltration\r\nSeveral hours after the dump of the NTDS.DIT file, an unmonitored Windows server began initiating FTP\r\nconnections to an external IP address, sending over 100GB of data over the next six hours. Subsequent device\r\nforensics revealed that the admin1 account ingressed 7zip, a file archive utility, and WinSCP, a tool for file\r\ntransfer across multiple protocols, to the server approximately 30 minutes before the file transfer began.\r\nhttps://www.reliaquest.com/blog/blacksuit-attack-analysis/\r\nPage 3 of 5\n\n7zip was used to locally stage and compress data from connected network shares, following which WinSCP was\r\nused to facilitate the FTP connection.\r\nNetwork Share Canaries: Exfiltration is famously difficult to detect and stop because there are so many tools\r\nand methods threat actors can use to get data out of a network. Defending against exfiltration requires a layered\r\napproach to shift the burden back onto the adversary.\r\nThere’s a lot that organizations can do from a network architecture level to make it much harder to directly\r\ntransfer data out of a network, and this can be especially effective when combined with a comprehensive data loss\r\nprevention (DLP) solution to categorize, restrict access to, and audit ongoing access of data and to monitor for\r\npotentially unauthorized usage.\r\nIn the more immediate term, organizations can embed canary files within network shares to detect unauthorized\r\naccess attempts that may indicate impending exfiltration.\r\nImpact\r\nApproximately six hours after exfiltration, the threat actor set up a Windows virtual machine (VM) by installing\r\nVirtualBox and downloading a virtual machine file. They likely used the malicious VM to obfuscate the\r\nransomware deployment from endpoint security tools—a tactic we’ve previously seen as effective.\r\nThe threat actor used PsExec from their VM to copy the ransomware payload—which was hosted on a network\r\nshare—to hundreds of hosts through Server Message Block (SMB). Following this, WMIC was used to load the\r\nransomware payload as a library, thus executing the encryptor.\r\nstart PsExec.exe --accepteula @C:\\share$\\hosts1.txt cmd /c COPY “\\\\server\\share$\\payload.dll”\r\n\"C:\\****\r\nWMIC /node:\"X.X.X.X\" process call create 'cmd.exe /c regsvr32.exe /n /I:\"-id \\\"\u003cUNIQUE\r\n_STRING\u003e\\\" -ep 70\" \"C:\\****payload.dll\"'\r\nNotably, external reporting on Royal ransomware describes the same argument schema being provided at the time\r\nof encryption, supporting the idea that there is a relationship between these groups.\r\nThe impacted organization took immediate action, including rolling passwords across the domain and isolating the\r\ncompromised site from other global locations to limit the impact. It ran numerous response plays, focusing on\r\nremediation through hash banning and host isolation using endpoint security solutions.\r\nTo detect potential data leakage, GreyMatter Digital Risk Protection (DRP) was configured to monitor the\r\norganization’s digital assets, and the ReliaQuest Threat Research team tracked the BlackSuit data-leak site for any\r\nmentions or leaked data. Various detection rules were deployed to strengthen the organization’s defensive posture,\r\nincluding those to identify malware, suspicious DNS requests, and lateral movement activities.\r\nConclusion\r\nhttps://www.reliaquest.com/blog/blacksuit-attack-analysis/\r\nPage 4 of 5\n\nThe investigation into the BlackSuit ransomware attack revealed a relatively straightforward set of TTPs. Our\r\nanalysis identified initial access via brute forcing, lateral movement facilitated by tools like PsExec, and\r\nsuccessful exfiltration through FTP. These techniques are not novel, and their continued success highlights the\r\nefficacy of the techniques and the difficulty of appropriate mitigation. In this case, correctly configuring the VPN,\r\nmore complete endpoint visibility, and implementing automated response or containment plays could have\r\nprevented impact earlier in the attack chain. By ensuring you have the correct defenses and configurations in\r\nplace, straightforward TTPs like those highlighted in this case study can be detected and prevented in the early\r\nstages, minimizing or stopping any impact on your organization.\r\nSource: https://www.reliaquest.com/blog/blacksuit-attack-analysis/\r\nhttps://www.reliaquest.com/blog/blacksuit-attack-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.reliaquest.com/blog/blacksuit-attack-analysis/"
	],
	"report_names": [
		"blacksuit-attack-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d674ca4e5db1bf8b504004b207a1ee8396a46aad.pdf",
		"text": "https://archive.orkl.eu/d674ca4e5db1bf8b504004b207a1ee8396a46aad.txt",
		"img": "https://archive.orkl.eu/d674ca4e5db1bf8b504004b207a1ee8396a46aad.jpg"
	}
}