Press ESC to close

Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware

CategoryDetails
Threat ActorsIgnoble Scorpius (formerly Royal ransomware, also tied to Conti)
Campaign OverviewIncreased activity from March 2024 under the BlackSuit ransomware rebrand, affecting at least 93 victims globally. Operates a dark web leak site for extortion.
Target RegionsMajority in the United States; minor activity in the UK, Belgium, Germany, Italy, and Australia.
MethodologyInitial access via phishing, SEO poisoning, stolen VPN credentials, and supply chain attacks. Use of credential theft tools like Mimikatz and NanoDump. Employs lateral movement tools like RDP, SMB, and PsExec. Leverages evasion tools like STONESTOP and POORTRY.
Product TargetedTargets include Windows systems, Linux (including VMware ESXi servers), and specific sectors such as education, construction, manufacturing, and retail.
Malware ReferenceBlackSuit ransomware (rebranded from Royal), with Windows and Linux variants.
Tools UsedCobalt Strike, SystemBC, Mimikatz, NanoDump, Impacket, WinRAR, Rclone, Bublup, PsExec, Windows Restart Manager.
Vulnerabilities ExploitedExploits credential dumping (LSASS, NTDS.dit), driver vulnerabilities for EDR evasion, and uses malicious files via SEO poisoning and phishing.
TTPsInitial Access (T1566.001, T1608.006, T1078, T1566.004, T1195.002), Credential Dumping (T1003.001, T1003.006, T1557, T1558.002, T1003.003), Lateral Movement (T1021.001, T1021.002, T1570), Encryption (T1486), Data Exfiltration (T1048, T1567.002), EDR Evasion (T1562.001).
AttributionLikely continuity from Conti and Royal ransomware members, exhibiting high sophistication and a preference for large organizations (median victim revenue: $19.5M).
RecommendationsLeverage proactive threat hunting, deploy Cortex XDR, Next-Generation Firewalls, and maintain updated backups. Conduct ransomware readiness assessments and adopt MITRE ATT&CK framework mapping for defense.
Source Palo Alto Networks.

Read full article: https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/

Disclaimer: The above summary has been generated by an AI language model

Source: Palo Alto Networks

Published on: November 20, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *