Healthcare sector on alert as BlackSuit ransomware poses growing threat, linked to notorious Royal group

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) recently released an analyst note regarding a relatively new ransomware group called BlackSuit. The strain bears notable resemblances to the Royal ransomware family and is expected to pose a credible threat to the healthcare and public health (HPH) sector.

“Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today,” the HC3 analyst note disclosed. “Both Royal and the now defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly.” 

HC3 said that BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a compromised network. So far, the specific use of BlackSuit ransomware has been observed in a small number of attacks. “The most recent suspected attack, in October 2023, was against a U.S.-based HPH organization whose servers and systems were encrypted with malware, tentatively identified as BlackSuit.” 

According to the agency, it is challenging to make definitive conclusions about the preferred targets of the BlackSuit threat group due to the limited number of victims. Currently, the group has targeted the United States, Canada, Brazil, and the United Kingdom. “If ties to Royal (and by extension, Conti) are confirmed, then the correlation to these Russian-speaking threat actors will likely support a geographic exclusionary pattern by the group. Both Royal and Conti are known to exclude ex-Soviet or Commonwealth of Independent States (CIS) countries from being targeted in attacks,” it added. 

Additionally, while only a few victims are known, its target industries appear to be indiscriminate, including the healthcare, manufacturing, business technology, business retail, and government sectors. Continued monitoring of this group over the next year will likely demonstrate more about their motivations and specific targeting preferences. 

The note added that one cybersecurity company also documented at least three attacks involving the BlackSuit encryptor, with ransoms below US$1 million. Another company annotated at least five attacks in the manufacturing, business technology, business retail, and government sectors spanning the United States, Canada, Brazil, and the United Kingdom. 

With only a small number of victims, the ransomware gang is considered more infamous for their purported connections to the more prolific Royal ransomware family, according to the agency. “If their connection is confirmed, it would augment BlackSuit as a threat actor to be closely watched in the near future.”

HC3 identified that following a May 2023 attack on a major city in Texas by the Royal ransomware group, many cybersecurity researchers speculated that they would rebrand under a new name after widespread media attention and pressure from law enforcement. “A new BlackSuit ransomware operation was discovered in the same month that was using its own branded encryptor and Tor negotiation sites. It was believed that this was the ransomware operation that the Royal ransomware group would rebrand into. However, a rebrand never occurred, and Royal is still actively attacking the enterprise while using BlackSuit in limited attacks,” it added.

The agency further pointed out that one cybersecurity company’s analysis of the Linux variant of BlackSuit uncovered significant similarities to the Royal ransomware family. The researchers, who examined an x64 VMware ESXi version targeting Linux machines, said that they identified an ‘extremely high degree of similarity’ between Royal and BlackSuit. Furthermore, they stated that ‘they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.’

The analyst note also highlighted a comparison of the Windows artifacts that has identified 93.2 percent similarity in functions, 99.3 percent in basic blocks, and 98.4 percent in jumps based on BinDiff.

“The most recent findings from the same company note that BlackSuit and Royal use OpenSSL’s AES for encryption, and utilize similar intermittent encryption techniques to speed up the encryption process,” the HC3 said. “Overlaps aside, BlackSuit incorporates additional command-line arguments and avoids a different list of files with specific extensions during enumeration and encryption.” 

Additionally, the emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, an affiliate of the Royal ransomware gang that has implemented modifications to the original family, or emerged from a splinter group within the original Royal ransomware family.

BlackSuit primarily targets Linux and Windows systems and prevents victims from accessing their files by encrypting them. BlackSuit appends the blacksuit file extension (‘[dot]blacksuit’) to the files it encrypts, changes the desktop wallpaper, creates and drops its ransom note (‘README[dot]BlackSuit[dot]txt’) into the directory, renames files, and lists its TOR chat site in the ransom note along with a unique ID for each of its victims. Its operators also set up a data leak site as part of their double extortion strategy to coerce victims into paying the ransom demand. 

The BlackSuit ransom note will make several claims, most notably that essential files have been encrypted and stored on a secure server; therefore, any financial reports, intellectual property, personal files, and other sensitive data have been compromised. Currently, there is no known public decryptor for BlackSuit ransomware available. Once the ransomware infects a system, it uses the FindFirstFileW() and FindNextFileW() API functions to enumerate the files and directories and initiate the encryption process. 

HC3 identified that the BlackSuit ransomware uses the advanced encryption standard (AES) algorithm to encrypt files. The AES algorithm is a symmetric encryption algorithm that is widely used for encrypting data. BlackSuit ransomware uses OpenSSL’s AES for encryption, and leverages similar intermittent encryption techniques for fast and efficient encryption of victim files.

The agency assessed that the cybercriminals may distribute BlackSuit ransomware through email attachments that contain infected links or macros. Users who open these attachments or enable macros can inadvertently trigger the execution of the ransomware on their system. BlackSuit ransomware can be embedded into torrent files, which are commonly used for downloading and sharing files through peer-to-peer networks. When users download and open these infected torrent files, their systems can become infected with the ransomware.

Additionally, malicious ads, also known as malvertising, can be used as a method to distribute BlackSuit ransomware. Users who click on these ads may be redirected to websites that automatically download and install the ransomware on their system. BlackSuit ransomware can be delivered through Trojans, which are malicious programs that can download and install other types of malware, including ransomware. Trojans can be distributed through various means, such as phishing emails, fake software updates, or compromised websites.

Organizations can defend against ransomware attacks by implementing a comprehensive security framework that directs resources toward establishing a strong defense strategy, the HC3 proposed. Some of the agency’s recommendations include creating an inventory of assets and data, identifying authorized and unauthorized devices and software, conducting audits of event and incident logs, and managing hardware and software configurations. 

Entities must also grant administrative privileges and access only when necessary, monitor network ports, protocols, and services, establish a whitelist of approved software applications, implement measures for data protection, backup, and recovery, enable multi-factor authentication (MFA), deploy up-to-date security solutions across all system layers, and remain vigilant for early indications of an attack. 

Earlier this month, the HC3 issued a warning to the HPH sector regarding the potential threat posed by the 8Base ransomware gang. This group has been active since March 2022, but its activity has significantly increased in 2023, with a focus on targeting various sectors in the U.S. The agency has also observed that the group has been involved in double extortion tactics as an affiliate of Ransomware-as-a-Service (RaaS) groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.