The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations spanning a year.
Researchers from ReliaQuest analyzed in-depth an attack that took place in April from the ransomware group, which has been active since May 2023.
The group - believed to be spun off from the Royal ransomware gang - primarily targets US-based companies in critical sectors such as education and industrial goods, choosing targets carefully to maximize financial gain, according to a blog post published yesterday.
BlackSuit uses a double-extortion method and other tactics, techniques, and procedures that reflect a maturity atypical of a group that's only been around for a year.
This reflects its origin in Royal, which in turn was comprised of members of the formidable and now-defunct Conti ransomware gang.
In-Depth Attack Sequence The BlackSuit attack observed in April began when a threat actor gained VPN access to the customer's environment through a valid account, likely using credentials that were brute-forced or accessed in a password dump.
Over the next week, the attacker moved laterally across several Windows workstations, primarily using PsExec, a remote administration tool that was already in use in the customer environment.
After a three-day pause in the action - likely because the attack was done by an initial-access broker who then sold BlackSuit or one of its affiliates access to the environment - the attack resumed with the attacker authenticating to a Windows server and then downloading a custom payload that allowed loading of Rubeus, a toolkit for Kerberos abuse, into PowerShell.
It then compromised more than 20 users through Kerberoasting - a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking, according to security firm Qomplx - as well as an additional account via AS-REP roasting.
Once the attack was detected, the impacted organization took immediate action to roll passwords across the domain and isolate the compromised site from other global locations to limit the impact.
It ultimately focused on remediation through hash banning and host isolation using endpoint security solutions, according to Reliaquest.
Mitigating Various Ransomware Attack Stages ReliaQuest revealed several mitigation tactics that organizations can take for each of the attack steps it observed.
To avoid the initial misconfiguration of the VPN that allowed for initial access, the team suggested that organizations use centralized change management and version control to deploy network device configurations instead of managing devices individually.
Organizations also can better track lateral movements by monitoring Windows event logs and deploying a robust endpoint detection and response tool, neither of which the customer did.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 29 May 2024 14:50:25 +0000