Investigating BlackSuit Ransomware’s Similarities to Royal
Its operators also set up a data leak site as part of their two-pronged extortion strategy to coerce victims into paying the ransom demand. Note that there is just a single victim currently listed on the leak site as of the time of writing.
One of the BlackSuit ransomware samples we analyzed is an x64 ESXi version targeting Linux machines. An earlier post on Twitter revealed that YARA rules designed for BlackSuit’s Linux variant matched samples of the Royal ransomware Linux variant.
After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other. In fact, they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.
Further analysis found that BlackSuit employs command-line arguments that have a similar function to those used by Royal. However, there are some differences: The strings used in the arguments are different, with BlackSuit also including additional arguments not found in Royal.
Table 1. A comparison of arguments for the Linux versions of BlackSuit and Royal
Meanwhile, the skip argument is used to indicate a text file that contains a list of folders to be skipped.
During file enumeration and encryption, each respective ransomware family avoids files with the following extensions and filenames:
Table 2. List of extensions and filenames skipped by both BlackSuit and Royal
BlackSuit ransomware targets the following extensions if the –allfiles argument is not provided:
- .vmem
- .vmdk
- .nvram
- .vmsd
- .vmsn
- .vmss
- .vmtm
- .vmxf
- .vmxf
- .vmx
The binaries for both BlackSuit and Royal use OpenSSL’s AES for encryption and employ similar intermittent encryption techniques to accelerate the encryption of the victim’s files.
Both BlackSuit and Royal prepare the files for encryption by rounding up the file size to the nearest multiple of 16, after which 41 bytes are added, possibly to account for the encryption header and other metadata.
Next, a check is performed for the file being encrypted to determine if it has a size that is greater than 0x40000h (approximately 262KB). If this condition is met, it will use the value set using -percent, which is represented here by the i_ep variable. If not, it will use the default, which is 100.
The number of bytes to be used for intermittent encryption is then calculated using the same formula found in the Linux version of Royal ransomware:
|
The file size is again checked to calculate the amount of space to be allocated for the data and metadata. Finally, the keys to be used for encryption are prepared.
In the case of BlackSuit, as we previously mentioned, it appends the extension “.blacksuit” to encrypted files and drops a ransom note in the directory where the files are located.
In addition to the Linux-based sample, we also analyzed a Windows 32-bit version of BlackSuit, which also exhibits significant similarities with its Royal ransomware counterpart (93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff).
Our analysis found that BlackSuit accepts the following command-line arguments:
Table 3. A comparison of arguments for the Win32 versions of BlackSuit and Royal
While BlackSuit introduces different argument strings compared to Royal, their purpose remains similar. BlackSuit combines arguments from various Windows versions of Royal Ransomware, while also introducing new arguments such as “-delete” and “-list” that are specific to itself.
The –delete argument uses the following command to continuously check for the existence of its file by looking for the filename:
|
cmd /v/c “set f={Malware File Name}&for /l %l in () do if exist !f! (del /f/a “!f!”) else (exit)” |
If the file is found, it is immediately deleted. The command keeps running indefinitely until the file is deleted, at which point the loop will exit.
The -list argument is used to specify a text file containing target directories to encrypt. It loads the file using ReadFileFAPI then places the contents of the text file in a buffer. Note that the loaded text file is a sample text file we used for testing and not the format of the text file that will be loaded in an actual attack.
if –disablesafeboot is passed as an argument, it removes the “safeboot” value from the current boot entry in the Boot Configuration Data (BCD) and performs an immediate system restart via the following command:
|
“%System%\bcdedit.exe” /deletevalue {current} safeboot |
When encrypting network shares using the -network argument, BlackSuit will check if the IP address begins with the following numbers to ensure that it is encrypting local systems:
- 192.168.
- 10.
- 100.
- 172.
It avoids encrypting files with the following strings in their file path:
Table 4. Royal and BlackSuit avoid encrypting files that have these strings
Table 5. Royal and BlackSuit avoid encrypting files that contain these extensions
BlackSuit ransomware also deletes shadow copies using the following command:
|
“%System%\vssadmin.exe” Delete Shadows /All /Quiet |
The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.
One possibility for BlackSuit’s creation is that, since the threat actors behind Royal (and Conti before it) are one of the most active ransomware groups in operation today, this may have led to increased attention from other cybercriminals, who were then inspired to develop a similar ransomware in BlackSuit. Another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.
Whatever the case may be, the emergence of another ransomware like BlackSuit provides further evidence that threat actors will always try to look for more effective tools for their attacks, from modifying existing code to developing unique ransomware families, to profit from their victims. As such, both organizations and individual users should remain vigilant when it comes to protecting their files and data from ransomware attacks.
Organizations can defend against ransomware attacks by implementing a comprehensive security framework that directs resources towards establishing a strong defense strategy. Here are some recommendations:
- Create an inventory of assets and data
- Identify authorized and unauthorized devices and software
- Conduct audits of event and incident logs
- Manage hardware and software configurations
- Grant administrative privileges and access only when necessary
- Monitor network ports, protocols, and services
- Establish a whitelist of approved software applications
- Implement measures for data protection, backup, and recovery
- Enable multifactor authentication (MFA)
- Deploy up-to-date security solutions across all system layers
- Remain vigilant for early indications of an attack
By adopting a multi-pronged approach to securing potential entry points, such as endpoints, emails, websites, and networks, organizations can detect and defend against malicious elements and suspicious activities, effectively safeguarding themselves from ransomware attacks.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
- Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
Read More HERE
