Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius. Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries.
The group describes themselves as an "extortioner named BlackSuit" and claims to reverse file encryption for "quite a small compensation essentially." Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization's annual revenue. As of the date of this report, the median victim revenue across all industries is roughly $19.5 million, making the ransom payout quite significant for all organizations.
This threat assessment includes details identified during routine threat research activities, incident response cases and collaboration with the Unit 42 Managed Threat Hunting team.
This report maps the group's activity to the MITRE ATT&CK® framework in that section, which organizations can use to assess their coverage of threats posed by Ignoble Scorpius, pre- and post-compromise.
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
BlackSuit ransomware emerged in May 2023 as a rebrand of the Royal ransomware. Unit 42 Threat Intelligence assesses that the group behind this threat is a direct evolution of Royal, and as such we track the group under the same moniker, Ignoble Scorpius.
Much like the operations as Royal ransomware, BlackSuit operates a dark web leak site where they publish their victims' names and stolen data to extort them into paying a ransom. Figure 1 shows an excerpt of this site.
Since the rebrand, Unit 42 has observed at least 93 victims globally and an upward trend in the number of successful compromises shared on their leak site. This suggests an overall ramping up of operations. Figure 2 below details the monthly total leak site posts from Ignoble Scorpius as BlackSuit.
The number of organizations truly impacted by the group is likely higher, as organizations can pay their ransom before ransomware operators post details on their leak sites to avoid reputational damage.
The median revenue of these victims was $19.5 million, which highlights the average size of organizations that the group has successfully targeted. Based on ransom negotiations observed by Unit 42, we can also estimate that the group's initial ransom demand is equal to about 1.6% of the victim organization's annual revenue.
Breaking down the 93 victims by sector indicates a preference for the education, construction and manufacturing sectors, as shown in Figure 3 below.
Finally, as with many ransomware groups, Ignoble Scorpius' victims are overwhelmingly based in the United States, as shown below in Figure 4.
The following sections highlight tactics, techniques and procedures (TTPs) observed from Ignoble Scorpius during BlackSuit incident response investigations Unit 42 conducted. Similar findings have also been shared by researchers at ReliaQuest and The DFIR Report.
Initial access for Ignoble Scorpius, and ransomware groups in general, can be highly varied due to the prevalence of initial access brokers (IABs) who sell stolen credentials or other forms of access to organizations. While some threat actors obtain initial access on their own, others require the expertise of IABs to gain entry into a compromised network.
During an incident response investigation, delineating between the TTPs of a suspected IAB or the ransomware group is not always possible. Within Ignoble Scorpius' ransomware cases, Unit 42 has observed many different initial access methods, including:
Unit 42 has observed Ignoble Scorpius using common credential theft tools, such as Mimikatz and NanoDump, which is "a flexible tool that creates a minidump of the LSASS process." Techniques observed include:
Once they have obtained sufficiently privileged accounts (i.e., domain administrator on Windows systems) Ignoble Scorpius has been observed dumping the NTDS.dit file via ntdsutil, (T1003.003) to compromise the domain controller.
Unit 42 has observed Ignoble Scorpius making use of RDP (T1021.001), SMB (T1021.002) and PsExec (T1570) to move laterally across systems.
Unit 42 has observed Ignoble Scorpius and other ransomware groups making use of a vulnerable driver and loader, which are called STONESTOP and POORTRY by Mandiant. They use these tools to disable and evade antivirus and EDR solutions (T1562.001).
Ignoble Scorpius has used various commonly available software and services to exfiltrate victim data. We observed WinRAR and 7-Zip being used to compress and stage files prior to exfiltration, after which attackers used WinSCP over FTP and Rclone to exfiltrate files. In at least one instance, attackers renamed Rclone to svchost.exe prior to execution (T1048).
Unit 42 has also observed Ignoble Scorpius using a third-party project management application named Bublup to exfiltrate files (T1567, T1567.002). Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not imply that the legitimate product is flawed or malicious.
As Ignoble Scorpius' goal is to encrypt and ransom a victim's files, the primary payload of their campaigns is the BlackSuit ransomware. During incident response investigations involving BlackSuit, Unit 42 has also observed attackers using other tools for persistent access and the execution of arbitrary commands.
These additional tools include Cobalt Strike and SystemBC. In these cases it was not possible to identify whether Ignoble Scorpius or an IAB deployed the tools.
The final ransomware payload has Windows and Linux operating system variants with specific functionality to target VMware ESXi servers in some Linux variants.
Unit 42's analysis of the Windows variant found that the execution of the malware required the command-line argument -id followed by a 32-character value. The ID identifies the victim and grants access to a private chat room on Ignoble Scorpius' dark website to negotiate the ransom. They provide the ID to the victim via the ransom note. An example ransom note is shown below:
Other command-line arguments for the Windows variant of BlackSuit malware are shown below in Table 1.
Table 1. BlackSuit Windows variant command-line arguments.
Analysis of BlackSuit ransomware from TrendMicro and SentinelOne in 2023 identified more command-line flags than recent samples. This could be due to the ransomware group creating variants that target ESXi servers specifically, which we detail below, or a consolidation of functionality.
After the initial execution, the malware creates a mutual exclusion flag (aka mutex) with the value Global\WLm87eV1oNRx6P3E4Cy9 to prevent machines from being infected multiple times. As a result, the mutex chosen by Ignoble Scorpius needs to be a unique value that is not frequently changed. Unit 42 has observed attackers using this mutex as recently as June 2024, with open source highlighting its use as early as October 2023.
To ensure the encryption of as many files as possible, the ransomware enumerates and terminates a list of known processes and services (T1057). The ransomware also uses Windows Restart Manager (rstrtmgr.dll) to identify processes using files that would prevent encryption, terminating anything that isn't a critical process or the Windows File Explorer (explorer.exe). This is a technique commonly used by ransomware payloads.
To execute the ransomware payload, researchers at ReliaQuest observed Ignoble Scorpius downloading VirtualBox and creating a virtual machine (VM) (T1564.006). They copied the ransomware payload from the VM using PsExec (T1570) to "hundreds of hosts via SMB" (T1021.002). They then used Windows Management Instrumentation Command-line (WMIC) to load the ransomware as a library to execute it. This is a technique that Unit 42 has also observed from the group (T1047, T1218.010).
They then enumerate available files (T1083) and encrypt them using OpenSSL AES, adding the extension .blacksuit to the encrypted file's name (T1486).
The ESXi variant, a Linux-based executable, targets virtual machines and introduces two more command-line flags:
If the -crypt_all flag is not set, the following files relating to VMware are encrypted:
Our analysis indicates that BlackSuit is a direct continuation of the activity under Royal, and as such we have opted to continue tracking the group under the same identifier as Royal - Ignoble Scorpius. The true effectiveness of rebranding is difficult to quantify. However, it can offer ransomware groups a respite from the scrutiny of researchers, law enforcement and the media.
A more subtle effect of rebranding is the perception it can have on defenders. For example, BlackSuit's predecessor Royal and their predecessor Conti were some of the most reported and sophisticated ransomware groups while active.
As a result, organizations who were looking to assess their exposure to ransomware at the time could have looked toward the most prolific ransomware groups and attempted to cater their defensive solutions toward them. Rebranding resets this perception, and if it is accompanied with a shift in the group's TTPs, it can place defenders on their back foot.
This is one of the primary reasons we chose to highlight Ignoble Scorpius' BlackSuit ransomware in this report. Although the group as BlackSuit might not yet reach the top 10 list of ransomware groups by number of compromises, this group has the following qualities:
This report maps the group's activity to the MITRE ATT&CK framework in the that section below. Organizations can use this information to assess their coverage of threats posed by Ignoble Scorpius, pre- and post-compromise.
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Table 2 below depicts the MITRE ATT&CK TTPs mapping for techniques referenced in this report.
Table 2. MITRE ATT&CK techniques.
This section documents relevant TTPs used by Ignoble Scorpius and maps them directly to Palo Alto Networks Cortex XQL queries. These queries detect renamed tools with Cortex XDR.
Like many ransomware actors, Ignoble Scorpius likes to rename their Portable Executable (PEs) files. For example, rather than execute a tool such as Rclone as rclone.exe, the actor might rename it to something else, such as svchost.exe.
In the case mentioned above, a query for action_process_image_name = "rclone.exe" in Cortex XDR's Query Language (XQL) will fail. However, Cortex XDR can identify these files even if they've been renamed.
When a PE is compiled, it often includes a resource called VERSIONINFO. This resource can contain the original file name, the company that produced the software, and more. Though ransomware actors can rename executables, they rarely alter the VERSIONINFO resource.
We can extract the VERSIONINFO from PEs that run on a host using Cortex XDR with the action_process_file_info field in the ENUM.PROCESS filter set, shown in the following XQL query snippet.
Table 3 below highlights data from the VERSIONINFO resource, which is extracted for running processes by the above query.
Table 3. Ignoble Scorpius data extraction.
Once the VERSIONINFO data has been extracted, XQL can then be used to filter on known version info values from executables. The following is an example filter set that will identify renamed versions of Rclone's default executable, rclone.exe.
Some of the Cortex XDR queries we've included in this report use the above method for identifying renamed executables.
Technique description: The query looks for wscript.exe making external connections upon executing a JavaScript (.js) file, which could be indicative of GootLoader activity. The query restricts results to user-based Downloads or Temp folders, as these are the directories most commonly associated with GootLoader infections.
Technique description: The query looks for signs of Impacket framework execution, especially relating to smbexec and wmiexec. It focuses on the default PowerShell string used for command execution on the remote host.
Technique description: The query looks for signs of Mimiktaz or Rubeus executing within the environment. It takes into account renamed process image files by using PE metadata to identify VERSIONINFO data of executing processes.
Technique description: The query looks for a combination of identifiers related to the Cobalt Strike post-exploitation framework. Though the tool is used legitimately by pentesting, red teaming and emulation teams alike, threat actors such as BlackSuit also like to use the tool.
Technique description: The query looks for data exfiltration via Rclone, a tool used by BlackSuit to exfiltrate data from victim environments. It takes into account renamed process image files by using PE metadata to identify VERSIONINFO data of executing processes.
Technique description: The query looks for deletion of shadow copies using a specific vssadmin.exe command associated with the BlackSuit encryptor.
Technique description: The query looks for the mutex created by the BlackSuit encryptor. This mutex is created and checked upon execution to ensure no more than a single encryptor runs at one time.
Technique description: The query looks for files encrypted with the .blacksuit file suffix, which indicates the BlackSuit encryptor has encrypted the file.
Technique description: The query looks for known names of the BlackSuit encryptor's ransomware notes.