One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8615043 |
| Date de publication | 2024-11-20 22:01:06 (vue: 2024-11-20 23:08:26) |
| Titre | Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware |
| Texte | ## Snapshot Unit 42 researchers have identified a surge in [BlackSuit ransomware](https://security.microsoft.com/intel-profiles/c369785022e6b47726c23f206e47b5253b45f3bff8d17f68a0461ef8398ccda9) attacks, a rebrand of the Royal ransomware, orchestrated by the threat actor group Ignoble Scorpius. Since March 2024, Ignoble Scorpius has targeted at least 93 organizations globally, with a particular focus on the construction and manufacturing sectors. The ransom demands are calculated to be around 1.6% of the victim\'s annual revenue. ## Description BlackSuit ransomware, which has both Windows and Linux variants, encrypts files using OpenSSL AES and appends the \[.\]blacksuit extension. The Linux variant specifically targets VMware ESXi servers, capable of shutting down virtual machines before encryption. Ignoble Scorpius employs a variety of initial access methods, including phishing with malicious attachments, SEO poisoning with [GootLoader](https://security.microsoft.com/intel-profiles/6b880aa2bfeca7d44701c4dd9132708f02cb383688c12a6b2b1986cf92ca87b4), exploiting legitimate VPN credentials, and software supply chain attacks. They use credential theft tools like [Mimikatz](https://security.microsoft.com/intel-profiles/2dffdfcf7478886ee7de79237e5aeb52b0ab0cd350f1003a12064c7da2a4f1cb) and NanoDump, perform DCSync attacks, and leverage Impacket for AiTM attacks. Lateral movement is facilitated through RDP, SMB, PsExec, and the creation of virtual machines using VirtualBox. They evade defenses by disabling antivirus and EDR solutions with tools like STONESTOP and POORTRY, and exfiltrate data using applications such as WinRAR, 7-Zip, WinSCP, Rclone, and Bublup. The group also engages in process discovery, terminate non-critical processes, and delete shadow copies to inhibit system recovery. The rebranding from Royal ransomware to BlackSuit may allow Ignoble Scorpius to evade scrutiny and reset perceptions among defenders. ## Microsoft Analysis and Additional OSINT Context BlackSuit is a new ransomware strain first observed by Microsoft in [Storm-1122](https://security.microsoft.com/intel-profiles/3ddbdf6a9a9846d794b0537707d999c8876cab6e1dacc4c41bd31aa692766e94)-related attacks.This financially motivated cybercriminal group began deploying Royal ransomware in October 2022 and shifted to BlackSuit ransomware in May 2023. BlackSuit ransomware shares notable code similarities with Royal ransomware, which debuted in September 2022. These similarities include the use of the OpenSSL library, specific parameters (particularly the percentage parameter), and the exclusion of folders and shares like ADMIN$ and IPC$ during encryption. Additionally, BlackSuit is capable of encrypting files on both Windows and Linux operating systems. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Read our [ransomware as a service blog](https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/?ocid=magicti_mdti_blog#defending-against-ransomware) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_mdti_learndoc) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=magicti_mdti_learndoc) features to prevent attackers from stopping security services. - Run [endpoint detection and response (ED |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 1122 2022 2023 2024 2024** 2147119412 2147120934 365/security/defender access accessed action activity actor additional additionally admin$ advanced advice aes against age aitm alert alerts all allow also among analysis annual antivirus any appends applications are around artifacts assessment assessment: associated attachments attack attacker attackers attacks automated b&threatid= based before began behind blacksuit block blog blog#defending both breach breaches bublup but calculated can capable card certain chain changes check classes cloud code com/en com/intel com/microsoft com/security/blog/2022/05/09/ransomware com/threat commands common compatibility components construction content context copies copyright cover creation creations credential credentials criterion critical customers cybercrime cybercriminal data dcsync debuted defender defenders defenses delete delivered demands deploy deploying deployment description detect detected detection detections/hunting detects developing disabling discovery distribution distributors doesn down during economy edr effective employs enable encrypting encryption encrypts encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent engages entire equivalent esxi evade even evolving exclusion executable exfiltrate experience exploiting extension facilitated features files financially first focus folders following from full gig globally gootloader group hardening has have holistic how however https://learn https://security https://unit42 https://www huge hygiene identified ignoble immediate impacket impact include including indicate inhibit initial investigation investigations in ipc$ issues lateral learndoc learndoc#block learndoc#use learning least legitimate leverage library like linux list machine machines majority malicious malware: manufacturing march may mdti meet methods microsoft might mimikatz mitigations mode monitored motivated movement mtb&threatid= name=ransom:linux/blacksuit name=ransom:win32/blacksuit nanodump new non notable observed ocid=magicti october openssl operating orchestrated organizations originating osint other paloaltonetworks parameter parameters part particular particularly passive percentage perceptions perform permission phishing poisoning poortry post posture prevalence prevent process processes product profiles/2dffdfcf7478886ee7de79237e5aeb52b0ab0cd350f1003a12064c7da2a4f1cb profiles/3ddbdf6a9a9846d794b0537707d999c8876cab6e1dacc4c41bd31aa692766e94 profiles/6b880aa2bfeca7d44701c4dd9132708f02cb383688c12a6b2b1986cf92ca87b4 profiles/c369785022e6b47726c23f206e47b5253b45f3bff8d17f68a0461ef8398ccda9 prohibited protect protection protections psexec queries ransom ransom:linux/blacksuit ransom:win32/blacksuit ransomware rapidly rclone rdp read rebrand rebranding recommendations recommends recovery reduce reducing reduction reference references related remediate remediation reproduction researchers reserved reset resolve response revenue rights royal rule rules run running scenes scorpius scorpius/ scrutiny sectors security seo september server servers service services settings shadow shares shifted should shutting sight significantly similarities since site smb snapshot software solutions some specific specifically stage: status stonestop stopping storm strain such supply surface surge sweeping system systems take tamper targeted targets techniques terminate theft thereof these threat threats through tools triggered trusted turn understanding unit unknown unless unrelated us/wdsi/threats/malware use used using variant variants variety victim virtual virtualbox vmware volume vpn when which windows winrar winscp without wmi works written your yourself/ zip |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.