One ransom demand for the BlackSuit strain of malware reached $60 million. To date, the malware has sought $500 million in extortion.
BlackSuit is a strain of ransomware that has so far demanded $500 million in ransom, with one ransom demand reaching $60 million.
This is in line with a revised advisory from the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“BlackSuit actors have exhibited a willingness to negotiate payment amounts,” the agencies stated. “Ransom amounts are not part of the initial ransom note but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption.”
Numerous essential infrastructure sectors, including commercial buildings, healthcare and public health institutions, government buildings, and critical manufacturing, have been the target of ransomware attacks.
A development of the Royal ransomware, it uses the first access acquired through phishing emails to disable antivirus programs and steal confidential information, then uses that information to install the ransomware and encrypt the systems.
Other popular routes of infection include using the Remote Desktop Protocol (RDP), exploiting weak internet-facing apps, and gaining access through initial access brokers (IABs).
In order to stay persistent in victim networks, blacksuit actors are known to employ tools such as GootLoader malware and SystemBC, which are both genuine remote monitoring and management (RMM) software.
“BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks,” the agencies stated. “Password harvesting tools from Nirsoft and the publicly accessible credential-stealing program Mimikatz have also been discovered on compromised PCs. It’s common practice to terminate system processes using programs like GMER and PowerTool.”
The FBI and CISA have issued warnings about an increase in the number of victims receiving emails or phone calls from BlackSuit actors informing them of the compromise and the ransom demand—a strategy that ransomware gangs are using more frequently to increase pressure.
Cybersecurity company Sophos stated in research released this week that “in recent years, threat actors appear to be increasingly interested in not merely threatening organizations directly but also secondary victims.”
“For instance, as reported in January 2024, attackers threatened to ‘swat’ patients of a cancer hospital and have sent threatening text messages to a CEO’s spouse.”
But that’s not all. Threat actors have further asserted that they analyze pilfered data to look for indications of illicit activity, non-compliance with regulations, and financial anomalies. They have even gone so far as to say that a compromised organization’s employee had been posting their web browser history in order to search for material about child sexual abuse.
Such aggressive tactics harm a target’s reputation by portraying them as immoral or careless, and they can also be used as additional leverage to force them to pay up.
This comes at a time when new families of ransomware are emerging in the wild, including Lynx, OceanSpy, Radar, Zilla (a variant of Crysis/Dharma), and Zola (a variant of Proton). At the same time, established ransomware groups are continuously changing their tactics by adding new tools to their toolbox.
As an illustration, consider Hunters International, which has been seen to use a remote access trojan (RAT) and a novel piece of C#-based malware known as SharpRhino as an initial infection vector. This virus is a member of the ThunderShell family and is distributed via a typosquatting domain that pretends to be the well-known network administration utility Angry IP Scanner.
It’s important to note that, according to eSentire, malware has been seen being delivered by malvertising campaigns as recently as January 2024. Parcel RAT is another name for the open-source RAT, and SMOKEDHAM.
According to Michael Forret, a researcher at Quorum Cyber, “on execution, it establishes persistence and gives the attacker remote access to the device, which is then utilized to progress the attack.” “Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption.”
It is believed that Hunters International is only the Hive ransomware group’s rebrand. It was discovered for the first time in October 2023 and has since claimed credit for 134 assaults in the first half of 2024.
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
