How is this going?
A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including one at a central Georgia school.
Earlier this year, a Tampa Bay zoo was attacked by the same hacker group.
Meanwhile, DePauw University, a liberal arts college in Indiana, said it was recently targeted and “limited data about specific individuals was obtained.” 214GB of stolen data has since been made available for download on BlackSuit’s dark web ransomware site.
Why haven’t you heard of BlackSuit before?
If you’re interested in network security, you’re probably not completely unfamiliar with BlackSuit. Although BlackSuit first appeared in May 2023, it appears to have close ties to the Royal ransomware gang, which itself was born from the remnants of the notorious Conti group.
Do you think BlackSuit is a rebranding of the Royal and Conti ransomware groups?
It’s not just me. Last month, the U.S. Department of Health and Human Services (HHS) issued an advisory to health care and public health departments about BlackSuit, which described BlackSuit’s “striking similarities” to Royal and said it was “notorious.” Direct successor to the notoriously Russian-linked Conti.” Operation. “
The U.S. Department of Health and Human Services warned that BlackSuit is a “threat actor to watch closely in the near future.”
So is BlackSuit another ransomware-as-a-service (RaaS) operation?
not yet. Currently, it cannot be considered ransomware-as-a-service as BlackSuit does not have any known affiliates. Of course, this may change in the future – but the malicious hackers behind BlackSuit may be happy to keep their weapons (and the profits they generate) to themselves.
How do I know my organization has been hit by BlackSuit?
BlackSuit encrypts files on Linux and Windows systems and appends a “.blacksuit” extension to affected files. It also changes your desktop wallpaper and drops a ransom note (named “README.BlackSuit.txt”).
Should I pay the ransom?
This is the six million dollar question. Or should this be a question of 139 Bitcoins? 🙂
Indeed, paying a ransom encourages ransomware attackers. If no organization paid, there would be no ransomware attacks. Therefore, paying money to malicious people trying to rip off your company is very unappealing.
However, not paying is not an easy decision for any victim to make. Even if they have secure, unencrypted backups of critical data to rebuild their systems, they still must deal with the possible consequences when sensitive information about their business, employees, suppliers and customers leaks online. The public domain of criminals.
Not only can the consequences of a data breach be legal, but a company’s public image and brand reputation can be severely damaged by the hacker who posted the leaked data.
Ultimately, there are no good decisions – only a choice between two unpleasant alternatives.
So, what action should I take now?
The best approach is to make sure you have hardened defenses forward Ransomware attacks to reduce their chances of success and limit any potential impact on your business.
The FBI and CISA have released mitigation guidance and a series of IOCs for the Royal and BlackSuit ransomware families.
Additionally, it would be wise to follow our recommendations on how to protect your organization from other ransomware.
These include:
- Make secure off-site backups.
- Run the latest security solutions and make sure your computer is protected against vulnerabilities with the latest security patches.
- Limit attackers’ ability to spread laterally through your organization through network segmentation.
- Protect sensitive data and accounts with unique, hard-to-crack passwords and enable multi-factor authentication.
- Encrypt sensitive information whenever possible.
- Reduce your attack surface by disabling features your company doesn’t need.
- Educate and inform employees about the risks and methods used by cybercriminals to launch attacks and steal data.
Stay safe and don’t let your organization become the next victim of the BlackSuit ransomware group.
Editor’s note: The opinions expressed in this guest author article are those of the contributor and do not necessarily reflect the views of Tripwire.