What is going on on?
A cybercriminal group calling itself BlackSuit has claimed duty for a sequence of ransomware assaults, together with breaches at colleges in central Georgia.
And earlier within the yr, a zoo in Tampa Bay was focused by the identical hacking gang.
In the meantime, liberal arts faculty DePauw College in Indiana says that it was just lately focused, and a “restricted quantity of knowledge on particular people was accessed.” 214GB of stolen information has since been made obtainable for obtain on BlackSuit’s extortion web site on the darkish internet.
How come I have never heard of BlackSuit earlier than?
Chances are high that in the event you’re taken with cybersecurity, you are not an entire stranger to BlackSuit. Though BlackSuit first appeared in Could 2023, it seems to have robust hyperlinks to the Royal ransomware gang, which itself was born out of the stays of the infamous Conti group.
Are you suggesting that BlackSuit is a rebranding of the Royal and Conti ransomware teams?
It is not simply me. Final month the US Division of Well being and Human Providers (HHS) issued an advisory to the healthcare and public well being sector about BlackSuit that described its “placing parallels” to Royal, and stated it was the “direct successor to the infamous Russian-linked Conti operation.”
The HHS warned that BlackSuit was “a risk actor to be intently watched within the close to future”.
So is BlackSuit one other ransomware-as-a-service (RaaS) operation?
Not presently. Proper now, it can’t be thought of ransomware-as-a-service as there are not any recognized associates of BlackSuit. In fact, which may change sooner or later – however it’s doable that the malicious hackers behind BlackSuit are comfortable conserving their weapon (and the earnings it generates) to themselves.
How will I do know that my organisation has been hit by BlackSuit?
BlackSuit encrypts recordsdata in your Linux and Home windows programs and appends a “.blacksuit” extension to affected recordsdata. It additionally modifications your desktop wallpaper, and drops a ransom observe (named “README.BlackSuit.txt”.
Ought to I pay the ransom?
That is the six million greenback query. Or ought to that be the 139 Bitcoins query? 🙂
It is true to say that paying ransoms encourages ransomware attackers. If no organisations ever paid up, there wouldn’t be ransomware assaults. So, paying the malicious folks making an attempt to extort your organization is deeply unattractive.
Nonetheless, not paying is just not a straightforward choice for any sufferer to make. Even when they’ve a safe, unencrypted backup of their essential information to rebuild their programs from, they may nonetheless should deal with the doable fall-out when delicate details about their enterprise, their staff, their suppliers, and their clients is launched into the general public area by the criminals.
The repercussions of an information leak aren’t simply probably authorized, however an organization’s public picture and model popularity could also be significantly tarnished by hackers that publish exfiltrated information.
In the end, there isn’t any good choice – solely a selection between two disagreeable choices.
So, what motion ought to I take proper now?
The perfect factor to do is to make sure that you might have hardened defences in place earlier than a ransomware assault, to cut back the probabilities of it succeeding and limiting any potential affect on what you are promoting.
The FBI and CISA have printed mitigation steerage and a variety of IOCs for each the Royal and BlackSuit ransomware households.
As well as, it will be smart to observe our suggestions on how one can defend your organisation from different ransomware.
These embody:
- making safe offsite backups.
- working up-to-date safety options and guaranteeing that your computer systems are protected with the newest safety patches in opposition to vulnerabilities.
- Limit an attacker’s means to unfold laterally via your organisation by way of community segmentation.
- utilizing hard-to-crack distinctive passwords to guard delicate information and accounts, in addition to enabling multi-factor authentication.
- encrypting delicate information wherever doable.
- decreasing the assault floor by disabling performance that your organization doesn’t want.
- educating and informing workers in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal information.
Keep protected, and do not permit your organisation to be the subsequent sufferer to fall foul of the BlackSuit ransomware group.
Editor’s Word: The opinions expressed on this visitor writer article are solely these of the contributor, and don’t essentially mirror these of Tripwire.
