Security researchers from PaloAlto Unit42 have discovered a threat group dubbed as Ignoble Scorpius that uses the BlackSuit ransomware in their exploitation.
Blacksuit Ransomware emerged in May 2023 as a rebrand of the Royal ransomware, targeting an array of victims. Since March 2024, Ignoble Scorpius has ramped up at least 93 global victims to date. The group operates a dark web leak site to pressure victims into paying ransoms, which Unit 42 notes typically start at approximately 1.6% of the victim’s annual revenue.
Ignoble Scorpius’ activities are majorly around U.S.-based organizations. It has an ability to execute complex supply chain attacks and bypass defenses signals an escalation in the sophistication of ransomware campaigns.
The report highlights Ignoble Scorpius’ advanced tactics, techniques, and procedures (TTPs), which include:
- Initial Access: Leveraging methods such as phishing campaigns (T1566.001), SEO poisoning with GootLoader (T1608.006), and supply chain attacks (T1195.002).
- Privilege Escalation: Using credential theft tools like Mimikatz and NanoDump, and conducting domain-wide attacks by dumping the NTDS.dit file
- Lateral Movement: Exploiting RDP (T1021.001) and SMB (T1021.002) for propagation, alongside tools like PsExec (T1570)
- Defense Evasion: Using vulnerable driver and loader to disable and evade antivirus and EDR solutions (T1562.001).
- Exfiltration: Using WinRAR and 7-Zip to compress and stage files prior to exfiltration, after which attackers used WinSCP over FTP and Rclone to exfiltrate files. In at least one instance, attackers renamed Rclone to svchost.exe prior to execution (T1048). Using third-party project management application named Bublup to exfiltrate files (T1567, T1567.002).
The ransomware’s payload features variants for both Windows and Linux systems, with specific functionalities targeting VMware ESXi servers. The Windows variant employs a unique victim ID to facilitate ransom negotiations on the dark web, while the Linux variant introduces flags to shut down virtual machines and encrypt critical files.
Unit 42 emphasizes that BlackSuit is a direct successor to Royal ransomware and, by extension, shares lineage with the infamous Conti group. “The true effectiveness of rebranding is difficult to quantify,” the report notes, “but it can offer ransomware groups a respite from the scrutiny of researchers, law enforcement, and the media.” This strategic pivot may also serve to disorient defenders by shifting TTPs and resetting perceptions of the group’s threat level.
Reference: Securityonline
