| Key Detail | Information |
|---|---|
| Threat Actors | Ignoble Scorpius (formerly Royal ransomware group) |
| Campaign Overview | Ramp-up of BlackSuit ransomware activity starting in March 2024, targeting at least 93 victims globally with a focus on construction and manufacturing industries. |
| Target Regions (Or Victims) | Primarily the United States, with other affected countries including the United Kingdom, Belgium, Germany, Italy, and Australia. |
| Methodology | Phishing, SEO poisoning, VPN credential exploitation, software supply chain attacks. |
| Product Targeted | Ransomware (BlackSuit), targeting Windows and Linux systems, including VMware ESXi servers. |
| Malware Reference | BlackSuit ransomware (Windows and Linux variants) |
| Tools Used | Mimikatz, NanoDump, Cobalt Strike, SystemBC, Rclone, WinRAR, 7-Zip, PsExec, SMB, VPN, RDP, Impacket. |
| Vulnerabilities Exploited | Credential theft, RDP, SMB, and VPN exploits. |
| TTPs | Initial Access (phishing, SEO poisoning, VPN abuse), Credential Access (Mimikatz), Privilege Escalation, Lateral Movement (RDP, SMB), Exfiltration (Rclone, WinRAR), Defense Evasion (STONESTOP, POORTRY). |
| Attribution | Ignoble Scorpius, rebranded from Royal ransomware group. |
| Recommendations | Employ proactive threat hunting, ensure network defenses against common ransomware techniques, utilize Cortex XDR, XSIAM, Next-Gen Firewalls for detection, use cloud-delivered security services. |
| Source | Unit42 Palo Alto Networks. |
Read full article: Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply