Its
operators
also
set
up
a
data
leak
site
as
part
of
their
two-pronged
extortion
strategy
to
coerce
victims
into
paying
the
ransom
demand.
Note
that
there
is
just
a
single
victim
currently
listed
on
the
leak
site
as
of
the
time
of
writing.
One
of
the
BlackSuit
ransomware
samples
we
analyzed
is
an
x64
ESXi
version
targeting
Linux
machines.
An
earlier
post
on
Twitter
revealed
that
YARA
rules
designed
for
BlackSuit’s
Linux
variant
matched
samples
of
the
Royal
ransomware
Linux
variant.
After
comparing
both
samples
of
the
Royal
and
BlackSuit
ransomware,
it
became
apparent
to
us
that
they
have
an
extremely
high
degree
of
similarity
to
each
other.
In
fact,
they’re
nearly
identical,
with
98%
similarities
in
functions,
99.5%
similarities
in
blocks,
and
98.9%
similarities
in
jumps
based
on
BinDiff,
a
comparison
tool
for
binary
files.
Further
analysis
found
that
BlackSuit
employs
command-line
arguments
that
have
a
similar
function
to
those
used
by
Royal.
However,
there
are
some
differences:
The
strings
used
in
the
arguments
are
different,
with
BlackSuit
also
including
additional
arguments
not
found
in
Royal.
Table
1.
A
comparison
of
arguments
for
the
Linux
versions
of
BlackSuit
and
Royal
Meanwhile,
the
skip
argument
is
used
to
indicate
a
text
file
that
contains
a
list
of
folders
to
be
skipped.
During
file
enumeration
and
encryption,
each
respective
ransomware
family
avoids
files
with
the
following
extensions
and
filenames:
Table
2.
List
of
extensions
and
filenames
skipped
by
both
BlackSuit
and
Royal
BlackSuit
ransomware
targets
the
following
extensions
if
the
–allfiles
argument
is
not
provided:
-
.vmem -
.vmdk -
.nvram -
.vmsd -
.vmsn -
.vmss -
.vmtm -
.vmxf -
.vmxf -
.vmx
The
binaries
for
both
BlackSuit
and
Royal
use
OpenSSL’s
AES
for
encryption
and
employ
similar
intermittent
encryption
techniques
to
accelerate
the
encryption
of
the
victim’s
files.
Both
BlackSuit
and
Royal
prepare
the
files
for
encryption
by
rounding
up
the
file
size
to
the
nearest
multiple
of
16,
after
which
41
bytes
are
added,
possibly
to
account
for
the
encryption
header
and
other
metadata.
Next,
a
check
is
performed
for
the
file
being
encrypted
to
determine
if
it
has
a
size
that
is
greater
than
0x40000h
(approximately
262KB).
If
this
condition
is
met,
it
will
use
the
value
set
using
-percent,
which
is
represented
here
by
the
i_ep
variable.
If
not,
it
will
use
the
default,
which
is
100.
The
number
of
bytes
to
be
used
for
intermittent
encryption
is
then
calculated
using
the
same
formula
found
in
the
Linux
version
of
Royal
ransomware:
|
The
file
size
is
again
checked
to
calculate
the
amount
of
space
to
be
allocated
for
the
data
and
metadata.
Finally,
the
keys
to
be
used
for
encryption
are
prepared.
In
the
case
of
BlackSuit,
as
we
previously
mentioned,
it
appends
the
extension
“.blacksuit”
to
encrypted
files
and
drops
a
ransom
note
in
the
directory
where
the
files
are
located.
In
addition
to
the
Linux-based
sample,
we
also
analyzed
a
Windows
32-bit
version
of
BlackSuit,
which
also
exhibits
significant
similarities
with
its
Royal
ransomware
counterpart
(93.2%
similarity
in
functions,
99.3%
in
basic
blocks,
and
98.4%
in
jumps
based
on
BinDiff).
Our
analysis
found
that
BlackSuit
accepts
the
following
command-line
arguments:
Table
3.
A
comparison
of
arguments
for
the
Win32
versions
of
BlackSuit
and
Royal
While
BlackSuit
introduces
different
argument
strings
compared
to
Royal,
their
purpose
remains
similar.
BlackSuit
combines
arguments
from
various
Windows
versions
of
Royal
Ransomware,
while
also
introducing
new
arguments
such
as
“-delete”
and
“-list”
that
are
specific
to
itself.
The
–delete
argument
uses
the
following
command
to
continuously
check
for
the
existence
of
its
file
by
looking
for
the
filename:
|
|
If
the
file
is
found,
it
is
immediately
deleted.
The
command
keeps
running
indefinitely
until
the
file
is
deleted,
at
which
point
the
loop
will
exit.
The
-list
argument
is
used
to
specify
a
text
file
containing
target
directories
to
encrypt.
It
loads
the
file
using
ReadFileFAPI
then
places
the
contents
of
the
text
file
in
a
buffer.
Note
that
the
loaded
text
file
is
a
sample
text
file
we
used
for
testing
and
not
the
format
of
the
text
file
that
will
be
loaded
in
an
actual
attack.
if
–disablesafeboot
is
passed
as
an
argument,
it
removes
the
“safeboot”
value
from
the
current
boot
entry
in
the
Boot
Configuration
Data
(BCD)
and
performs
an
immediate
system
restart
via
the
following
command:
|
|
When
encrypting
network
shares
using
the
-network
argument,
BlackSuit
will
check
if
the
IP
address
begins
with
the
following
numbers
to
ensure
that
it
is
encrypting
local
systems:
-
192.168. -
10. -
100. -
172.
It
avoids
encrypting
files
with
the
following
strings
in
their
file
path:
Table
4.
Royal
and
BlackSuit
avoid
encrypting
files
that
have
these
strings
Table
5.
Royal
and
BlackSuit
avoid
encrypting
files
that
contain
these
extensions
BlackSuit
ransomware
also
deletes
shadow
copies
using
the
following
command:
|
“%System%vssadmin.exe” |
The
emergence
of
BlackSuit
ransomware
(with
its
similarities
to
Royal)
indicates
that
it
is
either
a
new
variant
developed
by
the
same
authors,
a
copycat
using
similar
code,
or
an
affiliate
of
the
Royal
ransomware
gang
that
has
implemented
modifications
to
the
original
family.
One
possibility
for
BlackSuit’s
creation
is
that,
since
the
threat
actors
behind
Royal
(and
Conti
before
it)
are
one
of
the
most
active
ransomware
groups
in
operation
today,
this
may
have
led
to
increased
attention
from
other
cybercriminals,
who
were
then
inspired
to
develop
a
similar
ransomware
in
BlackSuit.
Another
option
is
that
BlackSuit
emerged
from
a
splinter
group
within
the
original
Royal
ransomware
gang.
Whatever
the
case
may
be,
the
emergence
of
another
ransomware
like
BlackSuit
provides
further
evidence
that
threat
actors
will
always
try
to
look
for
more
effective
tools
for
their
attacks,
from
modifying
existing
code
to
developing
unique
ransomware
families,
to
profit
from
their
victims.
As
such,
both
organizations
and
individual
users
should
remain
vigilant
when
it
comes
to
protecting
their
files
and
data
from
ransomware
attacks.
Organizations
can
defend
against
ransomware
attacks
by
implementing
a
comprehensive
security
framework
that
directs
resources
towards
establishing
a
strong
defense
strategy.
Here
are
some
recommendations:
-
Create
an
inventory
of
assets
and
data -
Identify
authorized
and
unauthorized
devices
and
software -
Conduct
audits
of
event
and
incident
logs -
Manage
hardware
and
software
configurations -
Grant
administrative
privileges
and
access
only
when
necessary -
Monitor
network
ports,
protocols,
and
services -
Establish
a
whitelist
of
approved
software
applications -
Implement
measures
for
data
protection,
backup,
and
recovery -
Enable
multifactor
authentication
(MFA) -
Deploy
up-to-date
security
solutions
across
all
system
layers -
Remain
vigilant
for
early
indications
of
an
attack
By
adopting
a
multi-pronged
approach
to
securing
potential
entry
points,
such
as
endpoints,
emails,
websites,
and
networks,
organizations
can
detect
and
defend
against
malicious
elements
and
suspicious
activities,
effectively
safeguarding
themselves
from
ransomware
attacks.
A
multilayered
approach
can
help
organizations
guard
possible
entry
points
into
their
system
(endpoint,
email,
web,
and
network).
Security
solutions
can
detect
malicious
components
and
suspicious
behavior,
which
can
help
protect
enterprises.
-
Trend
Vision
One™ provides
multilayered
protection
and
behavior
detection,
which
helps
block
questionable
behavior
and
tools
before
the
ransomware
can
do
any
damage. -
Trend
Micro
Apex
One™ offers
next-level
automated
threat
detection
and
response
against
advanced
concerns
such
as
fileless
threats
and
ransomware,
ensuring
the
protection
of
endpoints.
Indicators
of
Compromise
(IOCs)
About Author
