BlackSuit Ransomware Poses a Credible Threat to the HPH Sector
The Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note about BlackSuit ransomware, a new ransomware group believed to pose a credible threat to the healthcare and public health (HPH) sector.
Security researchers have identified several similarities between BlackSuit ransomware and Royal ransomware, with the latter group having actively targeted the HPH sector like the Conti ransomware group that Royal is believed to have replaced. BlackSuit has already been used in at least one attack on the HPH sector in October this year, so it is fair to assume that BlackSuit will be used in further attacks on the sector. That attack was on a provider of medical scans and radiology services to more than 1,000 hospitals in 48 states.
Like many other ransomware operations, BlackSuit ransomware is used in double extortion attacks, where sensitive data is exfiltrated before file encryption and ransoms must be paid to prevent the release of the stolen data as well as to decrypt the encrypted files. So far, BlackSuit ransomware has only been used in a limited number of attacks; however, activity could be ramped up at any point.
BlackSuit ransomware is believed to be a private group rather than a ransomware-as-a-service operation, and the operation is thought to be run by individuals with experience in conducting ransomware attacks due to the links with Royal and Conti. Some cybersecurity researchers have suggested BlackSuit may be a rebrand of Royal ransomware, which conducted a major attack on a Texas city in May 2023 which attracted considerable media and law enforcement attention. BlackSuit first appeared shortly after that attack but Royal is still operational, although BlackSuit has not been extensively used to date so that conclusion has not been discounted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Windows and Linux variants of BlackSuit have been detected, and like Royal ransomware, use OpenSSL’s AES for encryption. The ransomware uses intermittent encryption techniques, which are more efficient and allow files to be encrypted faster. Given the low number of detected attacks, it is difficult to tell which attack methods are favored by the group. The distribution methods that are most likely used are email attachments containing macros, embedding the ransomware in torrent files, malicious adverts (malvertising), and delivery via other malware variants such as Trojans, droppers, and downloaders, which are commonly distributed via compromised websites, fake software updates and phishing emails.
The HC3 Analyst Note details the MITRE ATT&CK techniques used by the group, Indicators of Compromise (IoCs), and recommended mitigations for hardening defenses. HC3 has also recommended reporting any suspected attacks to the local Federal Bureau of Investigation (FBI) field office and FBI Internet Crime Compliant Center (IC3).
