Category | Details |
---|---|
Threat Actors | Ignoble Scorpius (formerly Royal ransomware, also tied to Conti) |
Campaign Overview | Increased activity from March 2024 under the BlackSuit ransomware rebrand, affecting at least 93 victims globally. Operates a dark web leak site for extortion. |
Target Regions | Majority in the United States; minor activity in the UK, Belgium, Germany, Italy, and Australia. |
Methodology | Initial access via phishing, SEO poisoning, stolen VPN credentials, and supply chain attacks. Use of credential theft tools like Mimikatz and NanoDump. Employs lateral movement tools like RDP, SMB, and PsExec. Leverages evasion tools like STONESTOP and POORTRY. |
Product Targeted | Targets include Windows systems, Linux (including VMware ESXi servers), and specific sectors such as education, construction, manufacturing, and retail. |
Malware Reference | BlackSuit ransomware (rebranded from Royal), with Windows and Linux variants. |
Tools Used | Cobalt Strike, SystemBC, Mimikatz, NanoDump, Impacket, WinRAR, Rclone, Bublup, PsExec, Windows Restart Manager. |
Vulnerabilities Exploited | Exploits credential dumping (LSASS, NTDS.dit), driver vulnerabilities for EDR evasion, and uses malicious files via SEO poisoning and phishing. |
TTPs | Initial Access (T1566.001, T1608.006, T1078, T1566.004, T1195.002), Credential Dumping (T1003.001, T1003.006, T1557, T1558.002, T1003.003), Lateral Movement (T1021.001, T1021.002, T1570), Encryption (T1486), Data Exfiltration (T1048, T1567.002), EDR Evasion (T1562.001). |
Attribution | Likely continuity from Conti and Royal ransomware members, exhibiting high sophistication and a preference for large organizations (median victim revenue: $19.5M). |
Recommendations | Leverage proactive threat hunting, deploy Cortex XDR, Next-Generation Firewalls, and maintain updated backups. Conduct ransomware readiness assessments and adopt MITRE ATT&CK framework mapping for defense. |
Source | Palo Alto Networks. |
Read full article: https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply