www.sentinelone.com
Open in
urlscan Pro
104.26.2.18
Public Scan
URL:
https://www.sentinelone.com/anthology/blacksuit/
Submission: On July 15 via api from DE — Scanned from US
Submission: On July 15 via api from DE — Scanned from US
Form analysis 3 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
</button>
</fieldset>
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
New! CNAPP That Helps You Think Like an Attacker with Singularity Cloud Native
Security. Learn More New! Singularity™ Cloud Native Security
Experiencing a Breach?
* Small Business
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Pricing & Packaging Comparisons and Guidance at a Glance
* Data & AI
* Purple AI Accelerate SecOps with Generative AI
* Singularity Data Lake AI-Powered, Unified
Data Lake
* Singularity Data Lake for Log Analytics Seamlessly ingest data
from on-prem, cloud or hybrid environments
* Endpoint Security
* Singularity Endpoint Autonomous Prevention, Detection, and Response
* Singularity XDR Native & Open Protection, Detection, and Response
* Singularity RemoteOps Forensics Orchestrate Forensics at Scale
* Singularity
Threat Intelligence Comprehensive Adversary Intelligence
* Singularity Vulnerability Management Application & Os Vulnerability
Management
* Cloud Security
* Singularity Cloud Security Block Attacks With an
AI-powered CNAPP
* Singularity Cloud
Native Security Secure Cloud and Development Resources
* Singularity Cloud Workload Security Real-Time Cloud Workload Protection
Platform
* Singularity
Cloud Data Security AI-Powered Threat Detection for Cloud Storage
* Identity Security
* Singularity Identity Identity Threat Detection
and Response
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Strategic Services
* PinnacleOne Strategic Advisory Group
Services Overview
* Threat Services
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
Back to Anthology
BLACKSUIT
Akira
BLACKSUIT RANSOMWARE: IN-DEPTH ANALYSIS, DETECTION, AND MITIGATION
WHAT IS BLACKSUIT RANSOMWARE?
The BlackSuit ransomware operation emerged in early April/May of 2023. The group
is a multi-pronged extortion outfit, encrypting and exfiltrating victim data and
hosting public data leak sites for those victims that fail to comply with their
demands. The group is known for significant attacks against entities in the
healthcare and education sectors, along with other critical industries.
BlackSuit is a private operation in that there are no public affiliates.
BlackSuit payloads contain many technical similarities to Royal ransomware
payloads such as similar encryption mechanisms and command-line parameters.
WHAT BLACKSUIT RANSOMWARE TARGET?
BlackSuit is a private ransomware/extortion operation. Large enterprises and
small to medium-sized businesses (SMBs) are targeted, though there does not
appear to be any specific discrimination when it comes to industry or type of
target. Similar to Royal, targeting of entities in the CIS (Commonwealth of
Independent States) appears to be excluded. To date, BlackSuit targeting has
favored those in the healthcare, education, information technology (IT),
government, retail, and manufacturing industries.
HOW DOES BLACKSUIT RANSOMWARE WORK?
The group emerged with payloads that support both Windows and Linux operating
systems. Payloads are delivered via phishing email or third party framework
(e.g., Empire, Metasploit, Cobalt Strike). The use of malicious torrent files
has also been observed as a delivery vector for BlackSuit ransomware.
Command line parameters supported by BlackSuit ransomware:
-p {target path} Target path -killvm Termination of vmware via esxcali command
syntax -allfiles Encrypt all files -network Encrypt connected and available
network volumes -local Encrypt local volumes only (no network spreading)
-percent Encrypt percentage (incremental file encryption option for performance)
-demonoff Display logs -list {file} Supply test file list of inclusions for
encryption -delete Toggle self-deletion feature -thrcount and performance
Specify specific thread count, assist when discerning between x86 or x64
targeting -skip {file} Supply text file of paths to exclude from encryption
-noprotect No PID check, can allow multiple instances of the encryptor to run
BlackSuit payloads, on both Windows and Linux, utilize OpenSSL’s implementation
of AES for data encryption, which supports the intermittent encryption options
(-percent option). Linux payloads have the ability to target and manipulate
VMWare ESXi servers, via the -killvm option, for example. This parameter is tied
to the esxcli process:
Observed esxcli commands include:
"esxcli vm process list > list_"
"esxcli vm process kill --type=soft --world-id=%s"
"esxcli vm process kill --type=soft --world-id=%s"
"esxcli vm process list > PID_list_"
BlackSuit encryption is extremely rapid. Local logical drive details are
obtained upon launch at which time the ransomware will very quickly process
through available files and folders on all reachable volumes.
On Windows systems, the ransomware will attempt to inhibit system recovery by
removing Volume Shadow Copies (VSS). This is handled via a hidden shell command
which launches VSSADMIN.EXE with the /ALL and /Quiet options.
BlackSuit ransom notes are written to all folders which contain encrypted items.
The ransom notes are written as “README.BlackSuit.txt”.
This is only slightly varied on the Linux variants of BlackSuit. The ransom
notes on Linux instances will be written to targeted folders as
“README.blacksuit.txt”, noting the change in capitalization.
HOW TO DETECT BLACKSUIT RANSOMWARE
The SentinelOne Singularity XDR Platform can identify and stop any malicious
activities and items related to BlackSuit ransomware.
In case you do not have SentinelOne deployed, detecting BlackSuit ransomware
requires a combination of technical and operational measures designed to
identify and flag suspicious activity on the network. This allows the
organization to take appropriate action, and to prevent or mitigate the impact
of the ransomware attack.
To detect BlackSuit ransomware without SentinelOne deployed, it is important to
take a multi-layered approach, which includes the following steps:
1. Use anti-malware software or other security tools capable of detecting and
blocking known ransomware variants. These tools may use signatures,
heuristics, or machine learning algorithms, to identify and block suspicious
files or activities.
2. Monitor network traffic and look for indicators of compromise, such as
unusual network traffic patterns or communication with known
command-and-control servers.
3. Conduct regular security audits and assessments to identify network and
system vulnerabilities and ensure that all security controls are in place
and functioning properly.
4. Educate and train employees on cybersecurity best practices, including
identifying and reporting suspicious emails or other threats.
5. Implement a robust backup and recovery plan to ensure that the organization
has a copy of its data and can restore it in case of an attack.
HOW TO MITIGATE BLACKSUIT RANSOMWARE
The SentinelOne Singularity XDR Platform can return systems to their original
state using either the Quarantine or Repair.
In case you do not have SentinelOne deployed, there are several steps that
organizations can take to mitigate the risk of BlackSuit ransomware attacks:
Educate employees: Employees should be educated on the risks of ransomware, and
on how to identify and avoid phishing emails, malicious attachments, and other
threats. They should be encouraged to report suspicious emails or attachments,
and to avoid opening them, or clicking on links or buttons in them.
Implement strong passwords: Organizations should implement strong, unique
passwords for all user accounts, and should regularly update and rotate these
passwords. Passwords should be at least 8 characters long, and should include a
combination of uppercase and lowercase letters, numbers, and special characters.
Enable multi-factor authentication: Organizations should enable multi-factor
authentication (MFA) for all user accounts, to provide an additional layer of
security. This can be done through the use of mobile apps, such as Google
Authenticator or Microsoft Authenticator, or through the use of physical tokens
or smart cards.
Update and patch systems: Organizations should regularly update and patch their
systems, to fix any known vulnerabilities, and to prevent attackers from
exploiting them. This includes updating the operating system, applications, and
firmware on all devices, as well as disabling any unnecessary or unused services
or protocols.
Implement backup and disaster recovery: Organizations should implement regular
backup and disaster recovery (BDR) processes, to ensure that they can recover
from ransomware attacks, or other disasters. This includes creating regular
backups of all data and systems, and storing these backups in a secure, offsite
location. The backups should be tested regularly, to ensure that they are
working, and that they can be restored quickly and easily.
BlackSuit Ransomware: In-Depth Analysis, Detection, and Mitigation
* BlackSuit Ransomware: In-Depth Analysis, Detection, and Mitigation
* What Is BlackSuit Ransomware?
* What BlackSuit Ransomware Target?
* How Does BlackSuit Ransomware Work?
* How to Detect BlackSuit Ransomware
* How to Mitigate BlackSuit Ransomware
EXPERIENCE THE WORLD’S MOST ADVANCED CYBERSECURITY PLATFORM
See how our intelligent, autonomous cybersecurity platform harnesses the power
of data and AI to protect your organization now and into the future.
Request a Demo
©2024 SentinelOne, All Rights Reserved.
Privacy Notice Master Subscription Agreement
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Product Tour
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
Language
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
DO NOT SELL MY PERSONAL INFORMATION
When you visit our website, we store cookies on your browser to collect
information. The information collected might relate to you, your preferences or
your device, and is mostly used to make the site work as you expect it to and to
provide a more personalized web experience. However, you can choose not to allow
certain types of cookies, which may impact your experience of the site and the
services we are able to offer. Click on the different category headings to find
out more and change our default settings according to your preference. You
cannot opt-out of our First Party Strictly Necessary Cookies as they are
deployed in order to ensure the proper functioning of our website (such as
prompting the cookie banner and remembering your settings, to log into your
account, to redirect you when you log out, etc.). For more information about the
First and Third Party Cookies used please follow this link.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
SALE OF PERSONAL DATA
Sale of Personal Data
Under the California Consumer Privacy Act, you have the right to opt-out of the
sale of your personal information to third parties. These cookies collect
information for analytics and to personalize your experience with targeted ads.
You may exercise your right to opt out of the sale of personal information by
using this toggle switch. If you opt out we will not be able to offer you
personalised ads and will not hand over your personal information to any third
parties. Additionally, you may contact our legal department for further
clarification about your rights as a California consumer by using this Exercise
My Rights link. If you have enabled privacy controls on your browser (such as a
plugin), we have to take that as a valid request to opt-out. Therefore we would
not be able to track your activity through the web. This may affect our ability
to personalize ads according to your preferences.
* PERFORMANCE COOKIES
Required Cookies
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
* TARGETING COOKIES
Required Cookies
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Confirm My Choices
Back Button
Back
PERFORMANCE COOKIES
Vendor Search Search Icon Filter Icon
Clear Filters
Information storage and access
Apply
Consent Leg.Interest
All Consent Allowed
Select All Vendors
Select All Vendors
All Consent Allowed
Confirm My Choices
We'd like to show you notifications for the latest news and updates.
AllowCancel