<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js"> <head> <meta charset="utf-8" /> <link rel="canonical" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" /> <meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" /> <meta property="og:title" content="#StopRansomware: Blacksuit (Royal) Ransomware | CISA" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" /> <title>#StopRansomware: Blacksuit (Royal) Ransomware | CISA</title> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/misc/components/progress.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/misc/components/ajax-progress.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/views/css/views.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tablesaw-base.css?snj5wy" /> <link rel="stylesheet" media="screen" href="/modules/contrib/responsive_tables_filter/css/tablesaw-responsive.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tables.columntoggle.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/customizations.css?snj5wy" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/extlink/css/extlink.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/accordion.frontend.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?snj5wy" /> <link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&amp;family=Public+Sans:wght@400;500;600;700&amp;display=swap" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?snj5wy" /> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/17466","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"gtm":{"tagId":null,"settings":{"data_layer":"dataLayer","include_classes":false,"allowlist_classes":"","blocklist_classes":"","include_environment":false,"environment_id":"","environment_token":""},"tagIds":["GTM-53QLXSL9"]},"gtag":{"tagId":"","consentMode":false,"otherIds":[],"events":[],"additionalConfigInfo":[]},"ajaxPageState":{"libraries":"eJxdj2GSgzAIhS8UzZEyJMGYFYMTiNbbb7rW7rR_3vAx8B54VMXqhEMGcjJDzSU531S5iBU9qbMJC8asXB2EwDVmLvZdjVPloliiwYf26cXG2jag8YUmMSdCp5Bs6vLNI_zA47O5mtTkiGKnTHjXidgD3aQIgtVsUCFV2Ga5U_87Yytb85RlxmgqytY_yvszwxOK6979c3sRHMPFRk5RXK3v9kaZyUPtG7L0yItMkwlj4t29boYCdGoOYokhDm8cQixmz3iI_dNx5dgIfwHU1ZG_","theme":"guswds","theme_token":null},"ajaxTrustedUrl":[],"data":{"extlink":{"extTarget":false,"extTargetAppendNewWindowLabel":"(opens in a new window)","extTargetNoOverride":false,"extNofollow":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button,.usa-footer__contact-info","extCssInclude":"","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","extHideIcons":false,"mailtoClass":"mailto","telClass":"","mailtoLabel":"(link sends email)","telLabel":"(link is a phone number)","extUseFontAwesome":false,"extIconPlacement":"append","extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","extAdditionalLinkClasses":"","extAdditionalMailtoClasses":"","extAdditionalTelClasses":"","extFaTelClasses":"fa fa-phone","whitelistedDomains":[],"extExcludeNoreferrer":""}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0,"animateAccordionOpenAndClose":1,"openTabsWithHash":1}},"user":{"uid":0,"permissionsHash":"0f75d40308887aebba0d5b0d2671305b73c9431902f86e672380a6dc6ab97d07"}}</script> <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"></script> <script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script> <script src="/core/misc/drupalSettingsLoader.js?v=10.3.6"></script> <script src="/core/misc/drupal.js?v=10.3.6"></script> <script src="/core/misc/drupal.init.js?v=10.3.6"></script> <script src="/core/assets/vendor/tabbable/index.umd.min.js?v=6.2.0"></script> <script src="/modules/contrib/google_tag/js/gtm.js?snj5wy"></script> <script src="/modules/contrib/google_tag/js/gtag.js?snj5wy"></script> <script src="/core/misc/progress.js?v=10.3.6"></script> <script src="/core/assets/vendor/loadjs/loadjs.min.js?v=4.3.0"></script> <script src="/core/misc/debounce.js?v=10.3.6"></script> <script src="/core/misc/announce.js?v=10.3.6"></script> <script src="/core/misc/message.js?v=10.3.6"></script> <script src="/core/misc/ajax.js?v=10.3.6"></script> <script src="/modules/contrib/google_tag/js/gtag.ajax.js?snj5wy"></script> </head> <body class="path-node not-front node-page node-page--node-type-advisory" id="top"> <div class="c-skiplinks"> <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a> </div> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-53QLXSL9" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="l-site-container"> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" /> </div> <div class="grid-col-fill tablet:grid-col-auto"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div> <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here’s how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner"> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <div class="c-block c-global-header-btns c-global-btns"> <div class="l-constrain l-constrain"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/topics/election-security/election-threat-updates">Election Threat Updates</a><a class="c-button c-button--basic c-button--gray" href="/protect2024">#protect2024</a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> <div class="usa-overlay"></div> <header class="usa-header usa-header--extended" role="banner"> <div class="usa-navbar"> <div class="l-constrain"> <div class="usa-navbar__row"> <div class="c-block c-site-header"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblock" class="c-block c-block--provider-block-content c-block--id-block-contentbc4e6844-86b4-4e20-b163-a73bda3d1d76"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/header_logo_tagline_update.svg" alt="CISA logo image. America's Cyber Defense Agency, National Coordinator for Critical Infrastructure Security and Resilience"/></a></div></div> </div> </div> </div> </div> </div> <div class="c-block c-site-header-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblockmobile" class="c-block c-block--provider-block-content c-block--id-block-content283396c9-cd36-4ce3-b1e2-9b5576ab4f50"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/mobile_logo_wordmark.svg" alt="CISA Logo"/></a></div></div> </div> </div> </div> </div> </div> <div class="usa-navbar__search"> <div class="usa-navbar__search-header"> <p>Search</p> </div> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div> </div> </div> <button class="mobile-menu-button usa-menu-btn">Menu</button> </div> </div> </div> <div class="c-block c-tagline-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-mobiletaglinecontainer" class="c-block c-block--provider-block-content c-block--id-block-contentc8d12e9d-7e48-4708-90c1-563609c4b566"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><center><img src = "/sites/default/files/images/SVG/header_tagline_mobile_update.svg" alt = "America's Cyber Defense Agency" /></center></div></div> </div> </div> </div> </div> </div> <nav class="usa-nav" role="navigation" aria-label="Primary navigation"> <div class="usa-nav__inner l-constrain"> <div class="usa-nav__row"> <button class="usa-nav__close">Close</button> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div> </div> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item topics"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1"> <span>Topics</span> </button> <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/topics">Topics</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cybersecurity-best-practices"> <span>Cybersecurity Best Practices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cyber-threats-and-advisories"> <span>Cyber Threats and Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/critical-infrastructure-security-and-resilience"> <span>Critical Infrastructure Security and Resilience</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/election-security"> <span>Election Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/emergency-communications"> <span>Emergency Communications</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/industrial-control-systems"> <span>Industrial Control Systems</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/information-communications-technology-supply-chain-security"> <span>Information and Communications Technology Supply Chain Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/partnerships-and-collaboration"> <span>Partnerships and Collaboration</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/physical-security"> <span>Physical Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/risk-management"> <span>Risk Management</span> </a> </div> </div> </div> <div class="c-menu-feature-links"> <div class="c-menu-feature-links__title"> <a href="/audiences"> How can we help? </a> </div> <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a><a href="/audiences/faith-based-community">Faith-Based Community</a><a href="/audiences/executives">Executives</a><a href="/audiences/high-risk-communities">High-Risk Communities</a></div> </div> </div> </li> <li class="usa-nav__primary-item spotlight"> <a href="/spotlight" class="usa-nav__link" > <span>Spotlight</span> </a> </li> <li class="usa-nav__primary-item resources--tools"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3"> <span>Resources &amp; Tools</span> </button> <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/resources-tools">Resources &amp; Tools</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/all-resources-tools"> <span>All Resources &amp; Tools</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/services"> <span>Services</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/programs"> <span>Programs</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/resources"> <span>Resources</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/training"> <span>Training</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/groups"> <span>Groups</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item news--events"> <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="basic-mega-nav-section-4"> <span>News &amp; Events</span> </button> <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/news-events">News &amp; Events</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/news"> <span>News</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/events"> <span>Events</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/cybersecurity-advisories"> <span>Cybersecurity Alerts &amp; Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/directives"> <span>Directives</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/request-speaker"> <span>Request a CISA Speaker</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/congressional-testimony"> <span>Congressional Testimony</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-conferences"> <span>CISA Conferences</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-live"> <span>CISA Live!</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item careers"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5"> <span>Careers</span> </button> <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/careers">Careers</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/benefits-perks"> <span>Benefits &amp; Perks</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/hirevue-applicant-reasonable-accommodations-process"> <span>HireVue Applicant Reasonable Accommodations Process</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/general-recruitment-and-hiring-faqs"> <span>Hiring</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/resume-application-tips"> <span>Resume &amp; Application Tips</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/students-recent-graduates-employment-opportunities"> <span>Students &amp; Recent Graduates</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/veteran-and-military-spouse-employment-opportunities"> <span>Veteran and Military Spouses</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/work-cisa"> <span>Work @ CISA</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item about"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6"> <span>About</span> </button> <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/about">About</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/culture"> <span>Culture</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/divisions-offices"> <span>Divisions &amp; Offices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/regions"> <span>Regions</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/leadership"> <span>Leadership</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/doing-business-cisa"> <span>Doing Business with CISA</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/site-links"> <span>Site Links</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/reporting-employee-and-contractor-misconduct"> <span>Reporting Employee and Contractor Misconduct</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-github"> <span>CISA GitHub</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-central"> <span>CISA Central</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/2023YIR"> <span>2023 Year In Review</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us"> <span>Contact Us </span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us/subscribe-updates-cisa"> <span>Subscribe</span> </a> </div> </div> </div> </div> </li> </ul> <div class="c-block c-global-menu-btns c-global-btns"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/topics/election-security/election-threat-updates">Election Threat Updates</a><a class="c-button c-button--basic c-button--gray" href="/protect2024">#protect2024</a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> </div> </nav> </header> <div class="l-breadcrumb"> <div class="l-constrain"> <div class="l-breadcrumb__row"> <nav aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation"> <div class="l-constrain"> <div id="breadcrumb-label" class="c-breadcrumb__title u-visually-hidden">Breadcrumb</div> <ol class="c-breadcrumb__list"> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/">Home</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/news-events">News & Events</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories">Cybersecurity Advisories</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A94">Cybersecurity Advisory</a> </li> </ol> </div> </nav> <div id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block"> <div class="c-block__content"> <div class="c-block__row"> <span>Share:</span> <div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div> <div class="social-sharing-buttons"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a&amp;title=%23StopRansomware%3A%20Blacksuit%20%28Royal%29%20Ransomware" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons__button share-facebook" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" /> </svg> </a> <a href="https://twitter.com/intent/tweet?text=%23StopRansomware%3A%20Blacksuit%20%28Royal%29%20Ransomware+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" target="_blank" title="Share to X" aria-label="Share to X" class="social-sharing-buttons__button share-x" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#x" /> </svg> </a> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons__button share-linkedin" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" /> </svg> </a> <a href="mailto:?subject=%23StopRansomware%3A%20Blacksuit%20%28Royal%29%20Ransomware&amp;body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons__button share-email" target="_blank" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" /> </svg> </a> </div> </div> </div> </div> </div> </div> </div> <main id="main" class="c-main" role="main" tabindex="-1"> <div class="l-content"> <div class="is-promoted l-full"> <div class="l-full__header"> <div class="c-page-title"> <div class="c-page-title__inner l-constrain"> <div class="c-page-title__row"> <div class="c-page-title__content"> <div class="c-page-title__meta">Cybersecurity Advisory</div> <h1 class="c-page-title__title"> <span>#StopRansomware: Blacksuit (Royal) Ransomware</span> </h1> <div class="c-page-title__fields"> <div class="c-field c-field--name-field-last-updated c-field--type-datetime c-field--label-above"> <div class="c-field__label">Last Revised</div><div class="c-field__content"><time datetime="2024-08-27T12:00:00Z">August 27, 2024</time></div></div> <div class="c-field c-field--name-field-alert-code c-field--type-string c-field--label-above"> <div class="c-field__label">Alert Code</div><div class="c-field__content">AA23-061A</div></div> </div> <div class="c-page-title__topic"> <div class="c-topic__label"> Related topics: </div> <div class="c-top__topics"> <a href="/topics/cyber-threats-and-advisories">Cyber Threats and Advisories</a>, <a href="/topics/cyber-threats-and-advisories/incident-detection-response-and-prevention">Incident Detection, Response, and Prevention</a>, <a href="/topics/cyber-threats-and-advisories/malware-phishing-and-ransomware">Malware, Phishing, and Ransomware</a> </div> </div> </div> </div> <div class="c-page-title__decoration"></div> </div> </div> </div> <div class="l-full__main"> <div class="l-constrain l-page-section--rich-text"> <div class="c-key-takeaways l-page-section__content has-bg-image bg-image--csd-information"> <div class="c-key-takeaways__header"> <div class="c-key-takeaways__icon"> </div> <div class="c-key-takeaways__title"> <h4>Actions for Organizations to Take Today to Mitigate Cyber Threats Related to BlackSuit Ransomware Activity</h4> </div> </div> <div class="c-key-takeaways__content"> <ol> <li>Prioritize remediating known exploited vulnerabilities.</li> <li>Train users to recognize and report phishing attempts.</li> <li>Enable and enforce multifactor authentication.</li> </ol> </div> </div> </div> <div class="l-page-section l-page-section--rich-text"> <div class="l-constrain"> <div class="l-page-section__content"> <h2><strong>Summary</strong></h2> <p><em><strong>Note: </strong>This joint Cybersecurity Advisory is part of an ongoing&nbsp;</em><a href="https://www.cisa.gov/stopransomware" title="#StopRansomware"><em>#StopRansomware</em></a><em> effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit&nbsp;</em><a href="https://www.cisa.gov/stopransomware" title="#StopRansomware"><em>stopransomware.gov</em></a><em> to see all #StopRansomware&nbsp;advisories and to learn more about other ransomware threats and no-cost resources.</em></p> <p><strong>Note:</strong> This advisory, originally published March 2, 2023, has been updated four times:</p> <ul> <li><strong>November 13, 2023:&nbsp;</strong>The advisory was updated to share new Royal TTPs and IOCs.</li> <li><strong>August 7, 2024:</strong> The advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content are noted.</li> <li><strong>August 14, 2024:</strong> The STIX files from the previous update (08/07/2024) were refreshed.</li> <li><strong>August 27, 2024:</strong> The STIX files from the (08/19/2024) update were refreshed.</li> </ul> <p><em><strong>(New August 7, 2024)</strong>&nbsp;</em>The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known BlackSuit ransomware IOCs and TTPs identified through FBI threat response activities and third-party reporting as recently as of July 2024. BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities.&nbsp;</p> <p><em><strong>(Updated August 7, 2024)</strong></em> BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.&nbsp;</p> <p><em><strong>(Updated August 7, 2024)</strong></em> Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million. BlackSuit actors have exhibited a willingness to negotiate payment amounts. Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a <code>.onion</code> URL (reachable through the Tor browser) provided after encryption. Recently, an uptick was observed in the number of instances where victims received telephonic or email communications from BlackSuit actors regarding the compromise and ransom. BlackSuit uses a leak site to publish victim data based on non-payment.</p> <p>FBI and CISA encourage organizations to implement the recommendations found in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.</p> <p>Download the PDF version of this report:</p> <div class="c-file"> <div class="c-file__download"> <a href="/sites/default/files/2024-09/aa23-061a-stopransomware-blacksuit-royal-ransomware_5.pdf" class="c-file__link" target="_blank">AA23-061A #StopRansomware: BlackSuit (Royal) Ransomware</a> <span class="c-file__size">(PDF, 660.84 KB )</span> </div> </div> <p>For a downloadable copy of IOCs, see:</p> <div class="c-file"> <div class="c-file__download"> <a href="/sites/default/files/2023-03/aa23-061a.stix__0.xml" class="c-file__link" target="_blank">AA23-061A STIX XML (MAR 2023)</a> <span class="c-file__size">(XML, 114.26 KB )</span> </div> </div> <div class="c-file"> <div class="c-file__download"> <a href="/sites/default/files/2023-11/AA23-061A.stix_.xml" class="c-file__link" target="_blank">AA23-061A STIX XML (NOV 2023 Update)</a> <span class="c-file__size">(XML, 152.94 KB )</span> </div> </div> <div class="c-file"> <div class="c-file__download"> <a href="/sites/default/files/2023-11/AA23-061A_stopransomware_royal_ransomware_update.stix_.json" class="c-file__link" target="_blank">AA23-061A STIX JSON (NOV 2023 Update)</a> <span class="c-file__size">(JSON, 113.96 KB )</span> </div> </div> <div class="c-file"> <div class="c-file__download"> <a href="/sites/default/files/2024-08/AA23-061A-Aug-2024_2.stix_.xml" class="c-file__link" target="_blank">AA23-061A STIX XML (BlackSuit)</a> <span class="c-file__size">(XML, 242.82 KB )</span> </div> </div> <div class="c-file"> <div class="c-file__download"> <a href="/sites/default/files/2024-08/AA23-061A-StopRansomware-BlackSuit-Royal-Ransomware-Aug-2024_2.stix_.json" class="c-file__link" target="_blank">AA23-061A STIX JSON (BlackSuit)</a> <span class="c-file__size">(JSON, 162.62 KB )</span> </div> </div> <h2><strong>Technical Details</strong></h2> <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v15/matrices/enterprise/">MITRE ATT&amp;CK^®</a><a href="https://attack.mitre.org/versions/v15/matrices/enterprise/" title="Enterprise Matrix"> for Enterprise</a> framework, version 15.&nbsp;See the MITRE ATT&amp;CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&amp;CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&amp;CK framework, see CISA and MITRE ATT&amp;CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&amp;CK Mapping">Best Practices for MITRE ATT&amp;CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p> <h3>Initial Access</h3> <p>BlackSuit uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection, and also significantly improves ransomware speed.[<a href="https://www.cybereason.com/blog/royal-ransomware-analysis" title="Royal Rumble: Analysis of Royal Ransomware">1</a>] In addition to encrypting files, BlackSuit actors also engage in double extortion tactics in which they threaten to publicly release the exfiltrated data if the victim does not pay the ransom.</p> <p>BlackSuit actors gain initial access to victim networks in several ways, including:</p> <ul> <li><strong>Phishing.</strong> According to third-party reporting, BlackSuit actors most commonly gain initial access to victim networks via phishing emails [<a href="https://attack.mitre.org/versions/v15/techniques/T1566/" title="Phishing">T1566</a>]. <ul> <li>According to open source reporting, victims have unknowingly installed malware that delivers BlackSuit ransomware after receiving phishing emails containing malicious PDF documents [<a href="https://attack.mitre.org/versions/v15/techniques/T1566/001/" title="Phishing: Spearphishing Attachment">T1566.001</a>] and malvertising [<a href="https://attack.mitre.org/versions/v15/techniques/T1566/002/" title="Phishing: Spearphishing Link">T1566.002</a>].[<a href="https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/" title="DEV-0569 finds new ways to deliver Royal ransomware, various payloads">2</a>]</li> </ul> </li> <li><strong>Remote Desktop Protocol (RDP).</strong>&nbsp;The second most common vector (around 13.3% of incidents) BlackSuit actors use for initial access is RDP compromise [<a href="https://attack.mitre.org/versions/v13/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001</a>].&nbsp;</li> <li><strong>Public-facing applications.&nbsp;</strong>FBI has observed BlackSuit actors gain initial access through exploiting vulnerable public-facing applications [<a href="https://attack.mitre.org/versions/v15/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a>].</li> <li><strong>Brokers.&nbsp;</strong>Reports from trusted third-party sources indicate that BlackSuit actors may leverage initial access brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs [<a href="https://attack.mitre.org/versions/v15/techniques/T1650/" title="Acquire Access">T1650</a>].</li> </ul> <h3><strong>Command and Control</strong></h3> <p>Once&nbsp;BlackSuit actors gain access to a network, they communicate with command and control (C2) infrastructure and download multiple tools [<a href="https://attack.mitre.org/versions/v15/techniques/T1105/" title="Ingress Tool Transfer">T1105</a>]. Legitimate Windows software is repurposed by&nbsp;BlackSuit actors to strengthen their foothold within the victim’s network. Ransomware operators often use open source projects to aid their intrusion activities.</p> <p>Historically, Royal actors were observed leveraging&nbsp;<code>Chisel</code>, Secure Shell (SSH)&nbsp;client,&nbsp;PuTTY,&nbsp;OpenSSH, and MobaXterm [<a href="https://attack.mitre.org/versions/v15/techniques/T1572/" title="Protocol Tunneling">T1572</a>], to communicate with their C2 infrastructure.</p> <h3><strong>Lateral Movement and Persistence</strong></h3> <p><em><strong>(Updated August 7, 2024)</strong></em> Historically, Royal threat actors used RDP and legitimate operating system (OS) diagnostic tools to move laterally across a network [<a href="https://attack.mitre.org/versions/v15/techniques/T1021/001" title="Remote Services: Remote Desktop Protocol">T1021.001</a>]. BlackSuit actors used RDP and PsExec as well but also use SMB [<a href="https://attack.mitre.org/versions/v15/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001</a>] to move laterally. In one confirmed case, BlackSuit actors used&nbsp;a legitimate admin account&nbsp;[<a href="https://attack.mitre.org/versions/v15/techniques/T1078/" title="Valid Accounts">T1078</a>] to remotely log on to the domain controller via SMB. Once on the domain controller, the threat actor deactivated antivirus software [<a href="https://attack.mitre.org/versions/v15/techniques/T1562/001/" title="Impair Defenses: Disable or Modify Tools">T1562.001</a>] by modifying Group Policy Objects [<a href="https://attack.mitre.org/versions/v15/techniques/T1484/001/" title="Domain or Tenant Policy Modification: Group Policy Modification">T1484.001</a>].</p> <p><em><strong>(Updated August 7, 2024)</strong></em> FBI observed BlackSuit actors using legitimate remote monitoring and management (RMM) software to maintain persistence in victim networks [<a href="https://attack.mitre.org/versions/v15/techniques/T1133" title="External Remote Services">T1133]</a>.&nbsp;</p> <p><em><strong>(New August 7, 2024)</strong></em> BlackSuit actors use SystemBC and Gootloader malware to load additional tools and maintain persistence.</p> <h3><strong>Discovery and Credential Access</strong></h3> <p><em><strong>(New August 7, 2024)</strong></em> BlackSuit actors have been observed using SharpShares and SoftPerfect NetWorx to enumerate victim networks. The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Tools such as PowerTool and GMER are often used to kill system processes.</p> <h3><strong>Exfiltration</strong></h3> <p>BlackSuit actors exfiltrate data from victim networks by repurposing legitimate cyber penetration testing tools, such as&nbsp;<a href="https://attack.mitre.org/versions/v13/software/S0154/" title="Cobalt Strike">Cobalt Strike</a>, and malware tools/derivatives, such as&nbsp;<a href="https://attack.mitre.org/versions/v13/software/S0386/" title="Ursnif">Ursnif</a>/Gozi, for data aggregation and exfiltration. According to third-party reporting,&nbsp;BlackSuit actors’ first hop in exfiltration and other operations is usually a U.S. IP address.&nbsp;</p> <p><em><strong>(New August 7, 2024)</strong></em> BlackSuit actors also use RClone and Brute Ratel for exfiltration.</p> <h3><strong>Encryption</strong></h3> <p>Before starting the encryption process, BlackSuit actors:</p> <ul> <li>Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [<a href="https://attack.mitre.org/versions/v15/techniques/T1486/">T1486</a>].[<a href="https://www.cybereason.com/blog/royal-ransomware-analysis" title="Royal Rumble: Analysis of Royal Ransomware">1</a>]</li> <li>Use Windows Volume Shadow Copy service (<code>vssadmin.exe</code>) to delete shadow copies to inhibit system recovery.[<a href="https://www.cybereason.com/blog/royal-ransomware-analysis" title="Royal Rumble: Analysis of Royal Ransomware">1</a>]</li> </ul> <p>FBI has found numerous batch (<code>.bat</code>) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [<a href="https://attack.mitre.org/versions/v15/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a>], force a group policy update, set pertinent registry keys to auto-extract [<a href="https://attack.mitre.org/versions/v15/techniques/T1119/" title="Automated Collection">T1119</a>] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [<a href="https://attack.mitre.org/versions/v15/techniques/T1071/001/" title="Application Layer Protocol: Web Protocols">T1070.001</a>]. Registry Keys created can be modified and deleted to enable persistence on the victim’s system.&nbsp;</p> <p>Malicious files have been found in victim networks in the following directories:</p> <ul> <li><code>C:\Temp\</code></li> <li><code>C:\Users\&lt;user&gt;\AppData\Roaming\</code></li> <li><code>C:\Users\&lt;users&gt;\</code></li> <li><code>C:\ProgramData\</code></li> </ul> <p><code>Root C:\</code> directory has also served as a storage location for malicious files. BlackSuit actors have been observed using legitimate software and open source tools during ransomware operations.</p> <h2><strong>Indicators of Compromise (IOCs)</strong></h2> <p>See <strong>Table 1</strong> through <strong>Table 5</strong> for Royal ransomware IOCs obtained by FBI during threat response activities as of January 2023.</p> <p><em><strong>(New November 13, 2023)</strong></em><strong>&nbsp;</strong>See <strong>Table 6</strong> and <strong>Table 7</strong> for Royal and BlackSuit Ransomware IOCs as of June 2023. See Table 8 for a list of legitimate software used by Royal and BlackSuit threat actors identified through FBI investigations as of June 2023.</p> <p><em><strong>(New August 7, 2024)</strong></em> See <strong>Table 9</strong> through<strong>&nbsp;Table 15</strong> for BlackSuit ransomware IOCs obtained by FBI during threat response activities as of July 2024 and <strong>Figure 1</strong> for a sample ransom note.</p> <p><strong>Disclaimer</strong>: Some of the observed IP addresses are several years old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.</p> <h3>Royal IOCs as of January 2023</h3> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 1: Royal Ransomware Associated Files as of January 2023</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">IOC</th> <th role="columnheader">Description</th> </tr> </thead> <tbody> <tr> <td>.royal</td> <td>Encrypted file extension</td> </tr> <tr> <td>README.TXT</td> <td>Ransom note</td> </tr> </tbody> </table> </div> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 2: Royal Ransomware Associated IP addresses as of January 2023</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Malicious IP</th> <th role="columnheader">Last Observed Activity</th> </tr> </thead> <tbody> <tr> <td>102.157.44[.]105</td> <td>November 2022</td> </tr> <tr> <td>105.158.118[.]241</td> <td>November 2022</td> </tr> <tr> <td>105.69.155[.]85</td> <td>November 2022</td> </tr> <tr> <td>113.169.187[.]159</td> <td>November 2022</td> </tr> <tr> <td>134.35.9[.]209</td> <td>November 2022</td> </tr> <tr> <td>139.195.43[.]166</td> <td>November 2022</td> </tr> <tr> <td>139.60.161[.]213</td> <td>November 2022</td> </tr> <tr> <td>148.213.109[.]165</td> <td>November 2022</td> </tr> <tr> <td>163.182.177[.]80</td> <td>November 2022</td> </tr> <tr> <td>181.141.3[.]126</td> <td>November 2022</td> </tr> <tr> <td>181.164.194[.]228</td> <td>November 2022</td> </tr> <tr> <td>185.143.223[.]69</td> <td>November 2022</td> </tr> <tr> <td>186.64.67[.]6</td> <td>November 2022</td> </tr> <tr> <td>186.86.212[.]138</td> <td>November 2022</td> </tr> <tr> <td>190.193.180[.]228</td> <td>November 2022</td> </tr> <tr> <td>196.70.77[.]11</td> <td>November 2022</td> </tr> <tr> <td>197.11.134[.]255</td> <td>November 2022</td> </tr> <tr> <td>197.158.89[.]85</td> <td>November 2022</td> </tr> <tr> <td>197.204.247[.]7</td> <td>November 2022</td> </tr> <tr> <td>197.207.181[.]147</td> <td>November 2022</td> </tr> <tr> <td>197.207.218[.]27</td> <td>November 2022</td> </tr> <tr> <td>197.94.67[.]207</td> <td>November 2022</td> </tr> <tr> <td>23.111.114[.]52</td> <td>November 2022</td> </tr> <tr> <td>41.100.55[.]97</td> <td>November 2022</td> </tr> <tr> <td>41.107.77[.]67</td> <td>November 2022</td> </tr> <tr> <td>41.109.11[.]80</td> <td>November 2022</td> </tr> <tr> <td>41.251.121[.]35</td> <td>November 2022</td> </tr> <tr> <td>41.97.65[.]51</td> <td>November 2022</td> </tr> <tr> <td>42.189.12[.]36</td> <td>November 2022</td> </tr> <tr> <td>45.227.251[.]167</td> <td>November 2022</td> </tr> <tr> <td>5.44.42[.]20</td> <td>November 2022</td> </tr> <tr> <td>61.166.221[.]46</td> <td>November 2022</td> </tr> <tr> <td>68.83.169[.]91</td> <td>November 2022</td> </tr> <tr> <td>81.184.181[.]215</td> <td>November 2022</td> </tr> <tr> <td>82.12.196[.]197</td> <td>November 2022</td> </tr> <tr> <td>98.143.70[.]147</td> <td>November 2022</td> </tr> <tr> <td>140.82.48[.]158</td> <td>December 2022</td> </tr> <tr> <td>147.135.36[.]162</td> <td>December 2022</td> </tr> <tr> <td>147.135.11[.]223</td> <td>December 2022</td> </tr> <tr> <td>152.89.247[.]50</td> <td>December 2022</td> </tr> <tr> <td>172.64.80[.]1</td> <td>December 2022</td> </tr> <tr> <td>179.43.167[.]10</td> <td>December 2022</td> </tr> <tr> <td>185.7.214[.]218</td> <td>December 2022</td> </tr> <tr> <td>193.149.176[.]157</td> <td>December 2022</td> </tr> <tr> <td>193.235.146[.]104</td> <td>December 2022</td> </tr> <tr> <td>209.141.36[.]116</td> <td>December 2022</td> </tr> <tr> <td>45.61.136[.]47</td> <td>December 2022</td> </tr> <tr> <td>45.8.158[.]104</td> <td>December 2022</td> </tr> <tr> <td>5.181.234[.]58</td> <td>December 2022</td> </tr> <tr> <td>5.188.86[.]195</td> <td>December 2022</td> </tr> <tr> <td>77.73.133[.]84</td> <td>December 2022</td> </tr> <tr> <td>89.108.65[.]136</td> <td>December 2022</td> </tr> <tr> <td>94.232.41[.]105</td> <td>December 2022</td> </tr> <tr> <td>47.87.229[.]39</td> <td>January 2023</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 3: Royal Ransomware Associated Domains as of January 2023</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Malicious Domain</th> <th role="columnheader">Last Observed Activity</th> </tr> </thead> <tbody> <tr> <td>sombrat[.]com</td> <td>October 2022</td> </tr> <tr> <td>gororama[.]com</td> <td>November 2022</td> </tr> <tr> <td>softeruplive[.]com</td> <td>November 2022</td> </tr> <tr> <td>altocloudzone[.]live</td> <td>December 2022</td> </tr> <tr> <td>ciborkumari[.]xyz</td> <td>December 2022</td> </tr> <tr> <td>myappearinc[.]com</td> <td>December 2022</td> </tr> <tr> <td>parkerpublic[.]com</td> <td>December 2022</td> </tr> <tr> <td>pastebin.mozilla[.]org/Z54Vudf9/raw</td> <td>December 2022</td> </tr> <tr> <td>tumbleproperty[.]com</td> <td>December 2022</td> </tr> <tr> <td>myappearinc[.]com/acquire/draft/c7lh0s5jv</td> <td>January 2023</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 4: Tools Used by Royal Operators</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Tool</th> <th role="columnheader">SHA256</th> </tr> </thead> <tbody> <tr> <td>AV tamper</td> <td>8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375</td> </tr> <tr> <td>TCP/UDP Tunnel over HTTP (Chisel)</td> <td>8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451</td> </tr> <tr> <td>Ursnif/Gozi</td> <td>be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1</td> </tr> <tr> <td>Exfil</td> <td>B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20</td> </tr> <tr> <td>Remote Access (AnyDesk)</td> <td>4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7</td> </tr> <tr> <td>PowerShell Toolkit Downloader</td> <td>4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce</td> </tr> <tr> <td>PsExec (Microsoft Sysinternals)</td> <td>08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c</td> </tr> <tr> <td>Keep Host Unlocked (Don’t Sleep)</td> <td>f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee</td> </tr> <tr> <td>Ransomware Executable</td> <td>d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681</td> </tr> <tr> <td>Windows Command Line (NirCmd)</td> <td>216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5</td> </tr> <tr> <td>System Management (NSudo)</td> <td>19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618</td> </tr> <tr> <td>AV tamper</td> <td>8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375</td> </tr> <tr> <td>TCP/UDP Tunnel over HTTP (Chisel)</td> <td>8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451</td> </tr> <tr> <td>Ursnif/Gozi</td> <td>be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1</td> </tr> <tr> <td>Exfil</td> <td>B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20</td> </tr> <tr> <td>Remote Access (AnyDesk)</td> <td>4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7</td> </tr> <tr> <td>PowerShell Toolkit Downloader</td> <td>4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce</td> </tr> <tr> <td>PsExec (Microsoft Sysinternals)</td> <td>08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c</td> </tr> <tr> <td>Keep Host Unlocked (Don’t Sleep)</td> <td>f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee</td> </tr> <tr> <td>Ransomware Executable</td> <td>d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681</td> </tr> <tr> <td>Windows Command Line (NirCmd)</td> <td>216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5</td> </tr> <tr> <td>System Management (NSudo)</td> <td>19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618</td> </tr> </tbody> </table> </div> </div> </div> <p>&nbsp;</p> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 5: Batch Script Tools Used by Royal Operators</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">File name</th> <th role="columnheader">Hash Value</th> </tr> </thead> <tbody> <tr> <td>2.bat</td> <td>585b05b290d241a249af93b1896a9474128da969</td> </tr> <tr> <td>3.bat</td> <td>41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d</td> </tr> <tr> <td>4.bat</td> <td>a84ed0f3c46b01d66510ccc9b1fc1e07af005c60</td> </tr> <tr> <td>8.bat</td> <td>c96154690f60a8e1f2271242e458029014ffe30a</td> </tr> <tr> <td>kl.bat</td> <td>65dc04f3f75deb3b287cca3138d9d0ec36b8bea0</td> </tr> <tr> <td>gp.bat</td> <td>82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58</td> </tr> <tr> <td>r.bat</td> <td>74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c</td> </tr> <tr> <td>runanddelete.bat</td> <td>342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE</td> </tr> </tbody> </table> </div> <h3>Royal and BlackSuit IOCs as of June 2023 (New November 13, 2023)</h3> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 6: Royal Ransomware Associated Files, Tools, and Hashes as of June 2023</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Name</th> <th role="columnheader">Description or SHA 256 Hash Value</th> </tr> </thead> <tbody> <tr> <td>C:\Users\Public\conhost.exe client 149.28.73.161:443 R:149.28.73.161:43657:socks</td> <td>Executed on the victim’s machine, uses a Chisel client to tunnel traffic through port 443 instead of port 43657.</td> </tr> <tr> <td>royal_w</td> <td>Encryption extension</td> </tr> <tr> <td>%PROGRAMDATA%</td> <td>Ransomware Filepath</td> </tr> <tr> <td>%TEMP%\execute.bat</td> <td>&nbsp;</td> </tr> <tr> <td>InstallerV20.8.msi</td> <td>&nbsp;</td> </tr> <tr> <td>windows_encryptor.exe</td> <td>85087f28a84205e344d7e8e06979e6622fab0cfe1759fd24e38cd0390bca5fa6</td> </tr> <tr> <td>%PROGRAMDATA%\wine.exe</td> <td>5b08c02c141eab94a40b56240a26cab7ff07e9a6e760dfde8b8b053a3526f0e6</td> </tr> <tr> <td>%USERPROFILE%\Downloads\run1.bat</td> <td>bc609cf53dde126b766d35b5bcf0a530c24d91fe23633dad6c2c59fd1843f781</td> </tr> <tr> <td>%USERPROFILE%\Downloads\run2.bat</td> <td>13c25164791d3436cf2efbc410caec6b6dd6978d7e83c4766917630e24e1af10</td> </tr> <tr> <td>%USERPROFILE%\Downloads\run3.bat</td> <td>2b93206d7a36cccdf7d7596b90ead301b2ff7e9a96359f39b6ba31bb13d11f45</td> </tr> <tr> <td>%USERPROFILE%\Downloads\run4.bat</td> <td>84e1efbed6bb7720caea6720a8bff7cd93b5d42fb1d71ef8031bfd3897ed4435</td> </tr> <tr> <td>%USERPROFILE%\Downloads\sc.bat</td> <td>e0dbe3a2d07ee10731b68a142c65db077cfb88e5ec5c8415e548d3ede40e7ffc</td> </tr> <tr> <td>%USERPROFILE%\Downloads\sr.bat</td> <td>34a98f2b54ebab999f218b0990665485eb2bb74babdf7e714cc10a306616b00c</td> </tr> <tr> <td>runanddelete.bat</td> <td>342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee</td> </tr> <tr> <td>scripttodo.ps1 (94.232.41.105)</td> <td>4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce</td> </tr> <tr> <td>dontsleep.exe</td> <td>f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee</td> </tr> <tr> <td>wstart.exe</td> <td>d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681</td> </tr> <tr> <td>InstallerV8.1.ms</td> <td>3e6e2e0de75896033d91dfd07550c478590ca4cd4598004d9e19246e8a09cb97</td> </tr> <tr> <td>shutdowni.bat</td> <td>8a983042278bc5897dbcdd54d1d7e3143f8b7ead553b5a4713e30deffda16375</td> </tr> <tr> <td>f827.exe</td> <td>5654f32a4f0f2e900a35761e8caf7ef0c50ee7800e0a3b19354b571bc6876f61</td> </tr> <tr> <td>d2ef5.exe</td> <td>be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1</td> </tr> <tr> <td>f24dc8ea.msi</td> <td>91605641a4c7e859b7071a9841d1cd154b9027e6a58c20ec4cadafeaf47c9055</td> </tr> <tr> <td>defw10.bat</td> <td>fb638dba20e5fec72f5501d7e0627b302834ec5eaf331dd999763ee925cbc0f9</td> </tr> <tr> <td>ll.exe</td> <td>f0197bd7ccd568c523df9c7d9afcbac222f14d344312322c04c92e7968859726</td> </tr> <tr> <td>Royal Ransomware Hash</td> <td>b987f738a1e185f71e358b02cafa5fe56a4e3457df3b587d6b40e9c9de1da410</td> </tr> <tr> <td>b34v2.dll</td> <td>a51b1f1f0636bff199c0f87e2bb300d42e06698b</td> </tr> <tr> <td>1.exe</td> <td>d93f1ef533e6b8c95330ba0962e3670eaf94a026</td> </tr> <tr> <td>34.dll</td> <td>9e19afc15c5781e8a89a75607578760aabad8e65</td> </tr> <tr> <td><a>ll.exe</a></td> <td>9a92b147cad814bfbd4632b6034b8abf8d84b1a5</td> </tr> <tr> <td>Royal Ransomware Hash</td> <td>a4ef01d55e55cebdd37ba71c28b0c448a9c833c0</td> </tr> </tbody> </table> </div> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 7: BlackSuit Ransomware Associated Files, Tools, and Hashes as of June 2023</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">IP Address&nbsp;</th> <th role="columnheader">MD5 Hash Value</th> </tr> </thead> <tbody> <tr> <td>sys32.exe</td> <td>30cc7724be4a09d5bcd9254197af05e9fab76455</td> </tr> <tr> <td>esxi_encryptor</td> <td>861793c4e0d4a92844994b640cc6bc3e20944a73</td> </tr> </tbody> </table> </div> <p>BlackSuit threat actors have been observed using legitimate software and open source tools during ransomware operations. Threat actors have been observed using open source network tunneling tools such as Chisel and Cloudflared, as well as Secure Shell (SSH) Client, OpenSSH, and MobaXterm to establish SSH connections. The publicly available credential stealing tool Mimikatz and password harvesting tools from Nirsoft have also been found on victim systems. Legitimate RMM tools have also been observed as backdoor access vectors. Some legitimate software and open source tools can be found in <strong>Table 8</strong>.</p> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 8: Legitimate Files and Tools Used by Royal and BlackSuit Ransomware</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Name</th> <th role="columnheader">Description or SHA 256 Hash Value</th> </tr> </thead> <tbody> <tr> <td> <p>C:\Program Files\OpenSSH\ssh-agent.exe</p> <p>C:\Program Files\OpenSSH\sshd.exe</p> </td> <td>SSH Client</td> </tr> <tr> <td>%USERPROFILE%\Downloads\WinRAR.exe</td> <td>Compression tool</td> </tr> <tr> <td>%APPDATA%\MobaXterm\</td> <td>Toolbox for remote computing</td> </tr> <tr> <td>\Program Files (x86)\Mobatek\</td> <td>Toolbox for remote computing</td> </tr> <tr> <td>\Program Files (x86)\Mobatek\MobaXterm\</td> <td>Toolbox for remote computing</td> </tr> <tr> <td>b34v2.dll</td> <td>ColbaltStrike Beacon</td> </tr> <tr> <td>34.dll</td> <td>CobaltStrike Beacon</td> </tr> <tr> <td>mimikatz.exe</td> <td>Mimikatz credential harvester</td> </tr> <tr> <td>dialuppass.exe</td> <td>Nirsoft password harvesting utility</td> </tr> <tr> <td>iepv.exe</td> <td>Nirsoft password harvesting utility</td> </tr> <tr> <td>mailpv.exe</td> <td>Nirsoft password harvesting utility</td> </tr> <tr> <td>netpass.exe</td> <td>Nirsoft password harvesting utility</td> </tr> <tr> <td>routerpassview.exe</td> <td>Nirsoft password harvesting utility</td> </tr> <tr> <td>AdFind.exe</td> <td>ADFind tool</td> </tr> <tr> <td>LogMeIn</td> <td>Remote access tool</td> </tr> <tr> <td>Atera</td> <td>Remote access tool</td> </tr> <tr> <td>C:\Program Files\Eraser\Eraser.exe</td> <td>Anti-Forensics Tool used by TA</td> </tr> <tr> <td>advanced_ip_scanner.exe</td> <td>Reconnaissance Tool used by TA</td> </tr> <tr> <td>conhost.exe (chisel_windows_1_7_7.exe)</td> <td>b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b</td> </tr> <tr> <td>%USERPROFILE%\Downloads\svvhost.exe<br>\Users\Administrator\AppData\Local\Temp\cloudflared.exe</td> <td>c429719a45ca14f52513fe55320ebc49433c729a0d2223479d9d43597eab39fa</td> </tr> <tr> <td>nircmd.exe</td> <td>216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5</td> </tr> <tr> <td>nsudo.exe</td> <td>19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618</td> </tr> </tbody> </table> </div> <h3><strong>IOCs as of July 2024 (New August 7, 2024)</strong></h3> <p><strong>Disclaimer:</strong> Several of these observed IP addresses were first observed as early as 2023, although the most recent are from July of 2024 and have been historically linked to BlackSuit (formerly known as Royal) Ransomware. IP addresses in this advisory were maliciously used during the time range highlighted below, and may have been used for legitimate purposes outside of that time span. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.</p> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 9: Malicious URL (s) associated with BlackSuit Ransomware</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">URL Association</th> <th role="columnheader">Malicious URLs</th> </tr> </thead> <tbody> <tr> <td>URLs from malicious PowerShell on P0, potentially <code>debug.ps1</code></td> <td> <p>https://1tvnews[.]af/xmlrpc.php</p> <p>https://avpvuurwerk[.]nl/xmlrpc.php</p> <p>https://beautyhabits[.]gr/xmlrpc.php</p> <p>https://interpolyaris[.]ru/xmlrpc.php</p> <p>https://libertygospeltracts[.]com/xmlrpc.php</p> <p>https://oldtimertreffen-rethem[.]de/xmlrpc.php</p> <p>https://parencyivf[.]com/xmlrpc.php</p> <p>https://pikaluna[.]com/xmlrpc.php</p> <p>https://stroeck[.]at/xmlrpc.php</p> </td> </tr> <tr> <td>URL associated to BRC4 / Brute Ratel</td> <td>megupdate[.]com</td> </tr> <tr> <td>URLs associated to Exfiltration</td> <td>mystuff[.]bublup[.]com&nbsp;</td> </tr> <tr> <td>URL associated to Cobalt Strike C2</td> <td>provincial-gaiters-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io</td> </tr> <tr> <td>URL associated to Initial Access Download</td> <td>zoommanager[.]com</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 10: BlackSuit Ransomware Associated Files and Hash Values</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Filename</th> <th role="columnheader">Hash Value – SHA-256</th> <th role="columnheader">Description</th> </tr> </thead> <tbody> <tr> <td>1.exe</td> <td>af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61</td> <td>Encryptor</td> </tr> <tr> <td>PowerTool64.exe</td> <td>&nbsp;</td> <td>Hacktool</td> </tr> <tr> <td>aaa.exe</td> <td>C4A2227CD8D85128EAFEF8EE2298AA105DA892C8B0F37405667C2D1647C35C46</td> <td>Encryptor</td> </tr> <tr> <td>&nbsp;aaa.exe</td> <td>8d16a23d5a5630502b09c33fbc571d2261c6c98fecc3a79a1e1129354f930d0a</td> <td>&nbsp;</td> </tr> <tr> <td>Wen.exe</td> <td>01ce9cfebb29596d0ab7c99e8dbadf1a8409750b183e6bf73e0de021b365be13</td> <td>&nbsp;</td> </tr> <tr> <td>etmc.exe</td> <td>a0a4a99948e12309f54911264261d96f0e40d5fd695bab82e95fbc1f9024482e</td> <td>&nbsp;</td> </tr> <tr> <td>svchost.exe</td> <td>9bbc9784ce3c818a127debfe710ec6ce21e7c9dd0daf4e30b8506a6dba533db4</td> <td>Data Exfiltration Tool ­– Renamed version of&nbsp;<code>RClone.exe</code></td> </tr> <tr> <td>locker_N1uYkmEsfoHmT4lK66trUjBuy5gyAj7n.ex_</td> <td>146335b1be627318ac09476f0c8f8e6e027805e6077673f72d6dce1677a24c78</td> <td>&nbsp;</td> </tr> <tr> <td>socks32.exe</td> <td>9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300</td> <td>&nbsp;</td> </tr> <tr> <td>C:\users\Administrator\AppData\Local\msa.ps1</td> <td>&nbsp;</td> <td>SystemBC backdoor</td> </tr> <tr> <td>%APPDATA%\ Zoom\Alternative Workplace Strategies.js</td> <td>E813F8FAF3AA2EB20E285596413F5088B2D7FD153FE9F72F3FF45735D0FDDCED</td> <td>Gootloader infection</td> </tr> <tr> <td>C:\Users\Public\socks.ps1</td> <td>25A6F82936134A6C5C0066F382530B9D6BF2C8DA6FEAFE028F166B1A9D7283CF</td> <td> <p>PowerShell Backdoor</p> <p>&nbsp;</p> </td> </tr> <tr> <td>HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run (Value == socks_powershell)</td> <td>&nbsp;</td> <td>Executes socks.ps1 on reboot</td> </tr> <tr> <td>share$.zip</td> <td>e3d7c012040962acd66f395d1c5c5f73f305aa1058f2111e8e37d9cb213b80c4</td> <td>Contains <code>_COPY.bat</code>,&nbsp;<code>PsExec.exe</code>,&nbsp;<code>etmc.exe</code>, and&nbsp;<code>_EXEC.bat</code> to deploy encryptor (<code>etmc.exe</code>) across environment using domain admin credentials</td> </tr> <tr> <td>socss.exe</td> <td>C798B2690C5F16EB2917A679AF3117CFE9C7060FA8BC84FFC3159338EF33508E</td> <td>Malware</td> </tr> <tr> <td>qq.exe</td> <td>3c8c1b1f53e0767b7291bb1ae605ffa62a93e9c8cc783e4ca47ac84b48320d59</td> <td>&nbsp;</td> </tr> <tr> <td>gomer.exe</td> <td>&nbsp;</td> <td>A renamed executable of GMER used for defense evasion</td> </tr> <tr> <td>288-csrss.exe</td> <td>ee6ec2810910c6d2a2957f041edd1e39dca4266a1cc8009ae6d7315aba9196f5</td> <td>&nbsp;</td> </tr> <tr> <td>372-winlogon.exe</td> <td>68c57daed0e5899c49b827042bcf3bbeba33b524bd83315a44d889721664dc34</td> <td>&nbsp;</td> </tr> <tr> <td>776-svchost.exe</td> <td>&nbsp;bbb7404419f91f82cedfec915931a9339f04165b27d8878d63827c9ee421ed62</td> <td>&nbsp;</td> </tr> <tr> <td>Exe.exe, aaaa.exe, qq.exe</td> <td>338228a3e79f3993abc102cbac2ff253c84965213d59ac30892538cdd9b0a22b</td> <td>Ransomware file</td> </tr> <tr> <td>Mwntv.sys</td> <td>6332f189cc71df646ff0f1b9b02a005c9ebda3fe7b9712976660746913b030de</td> <td>Potential Tool Ingress</td> </tr> <tr> <td>Un_A.exe</td> <td>&nbsp;</td> <td>Malicious binary for attempting to disable/uninstall security software</td> </tr> <tr> <td>Un_B.erxe</td> <td>&nbsp;</td> <td>Malicious binary for attempting to disable/uninstall security software</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 11: Batch Script Tools Used by BlackSuit Ransomware Operators and Hash Values</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Filename</th> <th role="columnheader">Description</th> <th role="columnheader"><a>Hash Value – SHA-256</a></th> </tr> </thead> <tbody> <tr> <td>2.bat</td> <td>Batch Script to copy and execute encryptor</td> <td>3041dfc13f356c2f0133a9c11a258f87cb7de1e17bc435e9b623d74bc5e1c6be</td> </tr> <tr> <td>C:\share$\_EXEC.bat</td> <td>Execute encrypter</td> <td>8F87A1542EE790623896BBAAB933D1883484DE02A7B3D65D6C791D50173A923D</td> </tr> <tr> <td>fstart.bat</td> <td>A batch script used to enable remote services, perform anti-forensics, and enable clear-text passwords in memory</td> <td>&nbsp;</td> </tr> <tr> <td>NLA.bat</td> <td>A batch script used to disable Network Level Authentication (NLA) for Remote Desktop Services (RDS)</td> <td>&nbsp;</td> </tr> <tr> <td>av.bat</td> <td>A batch script that searches for presence of an application and uninstalls it</td> <td>&nbsp;</td> </tr> <tr> <td>systeminfo.bat</td> <td>A batch script used for system enumeration</td> <td>&nbsp;</td> </tr> <tr> <td>mv.bat</td> <td>A batch script used to move the PsExec executable and delete the netscan executable</td> <td>&nbsp;</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 12: IP addresses from BlackSuit Ransomware Deployments (from November 2023 to July 2024)</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">IP Address&nbsp;</th> <th role="columnheader">Time Range of Use</th> <th role="columnheader">Description&nbsp;</th> </tr> </thead> <tbody> <tr> <td>143[.]244[.]146[.]183:443</td> <td>May 2024</td> <td>Unknown C2 – potential SOCKS Proxy</td> </tr> <tr> <td>45[.]141[.]87[.]218:9000</td> <td>May 2024</td> <td>Arechclient2 Backdoor/SecTopRAT</td> </tr> <tr> <td>45[.]141[.]87[.]218:443</td> <td>May 2024</td> <td>Arechclient2 Backdoor/SecTopRAT</td> </tr> <tr> <td>184.174.96[.]16</td> <td>May 2024</td> <td>Associated with download of the binary <code>vm.dll</code></td> </tr> <tr> <td>89.251.22[.]32</td> <td>May 2024</td> <td>Cobalt Strike</td> </tr> <tr> <td>135.148.67[.]84</td> <td>May 2024</td> <td>Resolves to domain <code>turnovercheck[.]com</code></td> </tr> <tr> <td>180.131.145[.]85</td> <td>May 2024</td> <td>Associated with malicious PowerShell execution</td> </tr> <tr> <td>180.131.145[.]61</td> <td>May 2024</td> <td>SystemBC Command &amp; Control</td> </tr> <tr> <td>138.199.53[.]226</td> <td>Feb 2024</td> <td>&nbsp;</td> </tr> <tr> <td>184.166.211[.]74</td> <td>Feb 2024</td> <td>&nbsp;</td> </tr> <tr> <td>185.190.24[.]103</td> <td>Feb 2024</td> <td>&nbsp;</td> </tr> <tr> <td>5.181.234[.]58</td> <td>Feb 2024</td> <td>&nbsp;</td> </tr> <tr> <td>137.220.61[.]94</td> <td>Nov – Feb 2024</td> <td>connecting outbound from Socss.exe</td> </tr> <tr> <td>193.37.69[.]116</td> <td>Nov – Jan 2024</td> <td>Associated with exfiltration</td> </tr> <tr> <td>144.202.120[.]122</td> <td>Nov 2023</td> <td>socks1.ps1 backdoor; SystemBC Backdoor C2; www.recruitment-interview[.]org (C2 SystemBC)</td> </tr> <tr> <td>104.21.58[.]219:443</td> <td>Nov 2023</td> <td>Cobalt Strike</td> </tr> <tr> <td>141.98.80[.]181:80</td> <td>Nov 2023</td> <td>Cobalt Strike</td> </tr> <tr> <td>144.202.120[.]122:433</td> <td>Nov 2023</td> <td>PowerShell Reverse Proxy</td> </tr> <tr> <td>155.138.150[.]236:8088</td> <td>Nov 2023</td> <td>PowerShell Reverse Proxy</td> </tr> <tr> <td>140.82.18[.]48</td> <td>Nov 2023</td> <td>&nbsp;</td> </tr> <tr> <td>141.98.80[.]181</td> <td>Nov 2023</td> <td>&nbsp;</td> </tr> <tr> <td>44.202.120[.]122</td> <td>Nov 2023</td> <td>&nbsp;</td> </tr> <tr> <td>45.76.225[.]156</td> <td>Nov 2023</td> <td>&nbsp;</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 13: Legitimate Files and Tools Used by Black Suit Ransomware (1 of 3)</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">File name</th> <th role="columnheader">Hash Value – SHA-256</th> <th role="columnheader"><a>Description</a></th> </tr> </thead> <tbody> <tr> <td>share.exe</td> <td>f02af8ffc37d1874b971307fdec80e33e583b56d9ebabda78a4b8ad038bc3bf0</td> <td>Cobalt Strike</td> </tr> <tr> <td>181.exe</td> <td>b028eaa0ec452c6844881dc34be813834813a40591b89ea9a57dd4fb4084e477</td> <td>Cobalt Strike – File name&nbsp;</td> </tr> <tr> <td>222wqc.exe</td> <td>ae724dce252c7b05a84bc264993172cf86950d22744b5e3a1b15ba645d9d3733</td> <td>Cobalt Strike</td> </tr> <tr> <td>gmer.exe</td> <td>&nbsp;</td> <td>GMER / Rootkit Hunter</td> </tr> <tr> <td>PowerTool64.exe</td> <td>&nbsp;</td> <td>PowerTool64 for hacking</td> </tr> <tr> <td>Psexesvc.exe</td> <td>141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944</td> <td>Sysinternals</td> </tr> <tr> <td> <p>Socks5.ps1</p> <p>Socks.ps1</p> </td> <td>25a6f82936134a6c5c0066f382530b9d6bf2c8da6feafe028f166b1a9d7283cf</td> <td>PowerShell Reverse Proxy</td> </tr> <tr> <td>netscan.exe</td> <td>&nbsp;</td> <td>A network reconnaissance tool</td> </tr> <tr> <td>3iSDtcX.exe</td> <td>e87512ea12288acec611cf8e995c4ced3971d9e35c0c5dcfd9ee17c9e3ed913d</td> <td>Putty suite</td> </tr> <tr> <td>File.exe</td> <td>f805dafb3c0b7e18aa7d8c96db8e8d4e9301ff619622d1aecc8080e0ecd9ebbe</td> <td><code>Putty.exe</code>. Possibly used for C2</td> </tr> <tr> <td>Mwntv.sys</td> <td>6332f189cc71df646ff0f1b9b02a005c9ebda3fe7b9712976660746913b030de</td> <td>Potential Tool Ingress</td> </tr> <tr> <td>AnyDesk</td> <td>1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499</td> <td>Potential remote access tool</td> </tr> <tr> <td>ScreenConnect</td> <td>420db40d26d309d3dba3245abb91207f1bca050530545a8048f856e5840d22a2</td> <td>Potential remote access tool</td> </tr> <tr> <td>SharpShares.exe</td> <td>&nbsp;</td> <td>Enumerate network shares</td> </tr> <tr> <td>Networx.exe</td> <td>&nbsp;</td> <td>Bandwidth utilization</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 14: Legitimate Files and Tools Used by Black Suit Ransomware (2 of 3)</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist"><strong>Filename</strong></th> <th role="columnheader"><a><strong>Hash Value – SHA-1</strong></a></th> <th role="columnheader"><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td>181[.]exe</td> <td>790d40cd16fb458bf99e3600bce29eca06d40b56</td> <td>Cobalt Strike – Host name&nbsp;</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 15: Legitimate Files and Tools Used by Black Suit Ransomware (3 of 3)</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist"><strong>Filename</strong></th> <th role="columnheader"><strong>File Path</strong></th> <th role="columnheader"><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td>Anydesk.exe</td> <td>C:\Program Files(x86)\AnyDesk\AnyDesk.exe</td> <td>Remote Monitoring and Management (RMM) Tool</td> </tr> <tr> <td>ehorus_display.exe</td> <td>C:\Program Files\ehorus_agent\ehorus_display\ehorus_display.exe</td> <td>RMM Tool</td> </tr> <tr> <td>ehorus_launcher.exe</td> <td>C:\Program Files\ehorus_agent\ehorus_launcher.exe</td> <td>RMM Tool</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 16: Domain(s) associated to BlackSuit Ransomware</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Domain Name&nbsp;</th> <th role="columnheader"><a>Description</a></th> </tr> </thead> <tbody> <tr> <td>Abbeymathiass[.]com</td> <td>Cobalt Strike C2</td> </tr> <tr> <td>Mail.abbeymathiass[.]com</td> <td>Cobalt Strike C2</td> </tr> <tr> <td>Store.abbeymathiass[.]com</td> <td>Cobalt Strike C2</td> </tr> <tr> <td>https://file[.]io/ScPd1KcJTtxO</td> <td>Associated with download of the binary disabler.exe by threat actors</td> </tr> <tr> <td>Mail.turnovercheck[.]com</td> <td>Cobalt Strike C2</td> </tr> <tr> <td>Store.turnovercheck[.]com</td> <td>Cobalt Strike C2</td> </tr> <tr> <td>turnovercheck[.]com</td> <td>Cobalt Strike C2</td> </tr> <tr> <td>Hourlyprofitstore[.]com</td> <td>Cobalt Strike</td> </tr> <tr> <td>IPs and Domains for downloads / C2 / exfiltration of communication</td> <td> <p>https://protect-us.mimecast[.]com/s/A2PyC31xN5IpzR0XUvzaAj?domain=5.181.157.8</p> <p>https://protect-us.mimecast[.]com/s/CcsrC4xyO7fBK73ztjNfPl?domain=5.181.234.58</p> <p>https://protect-us.mimecast[.]com/s/NwueC5yzP5IZLW4MulfSrc?domain=137.220.61.94</p> <p>https://protect-us.mimecast[.]com/s/T3InC2kwM5hpzEOVU9S5zn?domain=147.135.36.162</p> <p>https://protect-us.mimecast[.]com/s/teBrC1wvL8iMNE56tXga0n?domain=147.135.11.223</p> </td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 17: BlackSuit Ransomware Note and Hash Value</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">File Name</th> <th role="columnheader">Hash Value</th> <th role="columnheader">Description&nbsp;</th> </tr> </thead> <tbody> <tr> <td>readme.BlackSuit.txt</td> <td>1743494f803bbcbd11150a4a8b7a2c5faba1223da607f67d24b18ca2d95d5ba3</td> <td>Ransomware note</td> </tr> </tbody> </table> <h3>Ransom Note (New August 7, 2024)</h3> <p><strong>Figure 1&nbsp;</strong>shows the observed BlackSuit ransom notes delivered to victims.</p> <table> <caption><em>Figure 1. BlackSuit Ransom Note</em></caption> <tbody> <tr> <td> <p>Your safety service did a really poor job of protecting your files against our professionals.</p> <p>Extortioner named&nbsp;BlackSuit has attacked your system.</p> <p>As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm.</p> <p>Now we have all your files like: financial reports, intellectual property, accounting, law actions and complaints, personal files and so on and so forth.&nbsp;</p> <p>We are able to solve this problem in one touch.</p> <p>We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to make a deal with us.</p> <p>You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation.</p> <p>You can have a safety review of your systems.</p> <p>All your files will be decrypted, your data will be reset, your systems will stay in safe.</p> <p>Contact us through TOR browser using the link:</p> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div> </div> <h2><strong>MITRE ATT&amp;CK Tactics and Techniques</strong></h2> <p>See <strong>Table 18</strong> through <strong>Table 23&nbsp;</strong>for all referenced threat actor tactics and techniques in this advisory, as well as corresponding detection and/or mitigation recommendations. For additional mitigations, see the Mitigations section.</p> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 18: BlackSuit Actors ATT&amp;CK Techniques for Resource Development</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Technique Title</th> <th role="columnheader">ID</th> <th role="columnheader">Use</th> </tr> </thead> <tbody> <tr> <td>Acquire Access</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1650/" title="Acquire Access">T1650</a></td> <td>BlackSuit actors may leverage brokers in support of gaining initial access.</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 19: Cyber Threat Actors ATT&amp;CK Techniques for Initial Access</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Technique Title</th> <th role="columnheader">ID</th> <th role="columnheader">Use</th> </tr> </thead> <tbody> <tr> <td>Remote Services: Remote Desktop Protocol</td> <td><a href="https://attack.mitre.org/versions/v13/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001</a></td> <td>BlacSuit actors use RDP compromise as secondary initial access vector.</td> </tr> <tr> <td>External Remote Services</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1133/" title="External Remote Services">T1133</a></td> <td>BlackSuit actors gain initial access through a variety of RMM software.</td> </tr> <tr> <td>Exploit Public Facing Application</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1190/" title="Exploit Public Facing Application">T1190</a></td> <td>BlackSuit actors gain initial access through public-facing applications.</td> </tr> <tr> <td>Phishing</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1566/" title="Phishing">T1566</a></td> <td>BlackSuit actors most commonly gain initial access to victim networks via phishing.&nbsp;</td> </tr> <tr> <td>Phishing: Spear phishing Attachment</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1566/001/" title="Phishing: Spear phishing Attachment">T1566.001</a></td> <td>BlackSuit actors used malicious PDF document attachments in phishing campaigns.</td> </tr> <tr> <td>Phishing: Spear phishing Link</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1566/002/" title="Phishing: Spear phishing Link">T1566.002</a></td> <td>The actors gain initial access using malvertising links via emails and public-facing sites.</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 20: Cyber Threat Actors ATT&amp;CK Techniques for Privilege Escalation</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Technique Title&nbsp;</th> <th role="columnheader">ID</th> <th role="columnheader">Use</th> </tr> </thead> <tbody> <tr> <td><em><strong>(New August 7, 2024)</strong></em> Valid Accounts</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1078/" title="Valid Accounts">T1078</a></td> <td>BlackSuit actors used a legitimate admin account to gain access privileges to the domain controller.</td> </tr> <tr> <td>Valid Accounts: Domain Accounts</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a></td> <td>BlackSuit actors used encrypted files to create new admin user accounts.</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 21: Cyber Threat Actors ATT&amp;CK Techniques for Defense Evasion</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Technique Title</th> <th role="columnheader">ID</th> <th role="columnheader">Use</th> </tr> </thead> <tbody> <tr> <td>Remote Services: Remote Desktop Protocol</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001</a></td> <td>BlackSuit actors used valid accounts to move laterally through the domain controller using RDP.</td> </tr> <tr> <td>Indicator Removal: Clear Windows Event Logs</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1071/001/" title="Indicator Removal: Clear Windows Event Logs">T1070.001</a></td> <td>BlackSuit actors deleted shadow files and system and security logs after exfiltration.</td> </tr> <tr> <td>Automated Collection</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1119/" title="Automated Collection">T1119</a></td> <td>BlackSuit actors used registry keys to auto-extract and collect files.</td> </tr> <tr> <td>Domain Policy Modification: Group Policy Modification</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1484/001/" title="Domain Policy Modification: Group Policy Modification">T1484.001</a></td> <td>BlackSuit actors modified Group Policy Objects to subvert antivirus protocols.</td> </tr> <tr> <td>Impair Defenses: Disable or Modify Tools</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1562/001/" title="Impair Defenses: Disable or Modify Tools">T1562.001</a></td> <td>BlackSuit actors deactivated antivirus protocols.</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 22: Cyber Threat Actors ATT&amp;CK Techniques for Command and Control</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Technique Title</th> <th role="columnheader">ID</th> <th role="columnheader">Use</th> </tr> </thead> <tbody> <tr> <td>Ingress Tool Transfer</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1105/" title="Ingress Tool Transfer">T1105</a></td> <td>BlackSuit actors used C2 infrastructure to download multiple tools.</td> </tr> <tr> <td>Protocol Tunneling</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1572/" title="Protocol Tunneling">T1572</a></td> <td>BlackSuit actors used an encrypted SSH tunnel to communicate within C2 infrastructure.</td> </tr> </tbody> </table> <div> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <caption><em>Table 23: Cyber Threat Actors ATT&amp;CK Techniques for Impact</em></caption> <thead> <tr> <th role="columnheader" data-tablesaw-priority="persist">Technique Title</th> <th role="columnheader">ID</th> <th role="columnheader">Use</th> </tr> </thead> <tbody> <tr> <td>Data Encrypted for Impact</td> <td><a href="https://attack.mitre.org/versions/v15/techniques/T1486/" title="Data Encrypted for Impact">T1486</a></td> <td>BlackSuit actors encrypted data to determine which files were being used or blocked by other applications.</td> </tr> </tbody> </table> <h2><strong>Detection Methods</strong></h2> </div> </div> </div> </div> </div> </div> <p><em><strong>(New August 7, 2024)</strong></em> Please reference YARA rule below to aid in detecting BlackSuit activity. <strong>Note:&nbsp;</strong>The YARA rule is derived from FBI investigations and is not guaranteed to detect confirmed malicious activity.</p> <table> <tbody> <tr> <td>private rule is_executable {<br><br>&nbsp; &nbsp; condition:<br>&nbsp; &nbsp; &nbsp; &nbsp; uint32(uint32(0x3C)) == 0x00004550<br><br>}<br><br>rule obfuscates_dlls {<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; strings:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Code for unscrambling names of true DLL imports<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $code_load_obfuscated = {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c6 84 24 ?? 00 00 00 ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // c6 84 24 ?? 00 00 00 ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | MOV byte ptr [ESP + ??], ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $code_deobfuscate = { 99 f7 ?? 8d ?? ?? 99 f7 ?? 88}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 99&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | CDQ<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // f7 ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | IDIV ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 8d ?? ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | LEA ??, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 99&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | CDQ<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // f7 ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | IDIV ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 88&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | MOV<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; condition:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; all of them<br><br>}<br>rule calls_rsa_function {<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; strings:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Code for function calls using RSA key<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $code_rsa_function_1 = { 8d4c2410 6a?? 6a?? 51 6a?? 6a?? 6a?? 68???????? ffd0 }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 8d 4c 24 10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | LEA ECX, [esp + 0x10]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ECX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 68 ?? ?? ?? ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH (address of RSA string)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // ff d0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | CALL EAX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $code_rsa_function_2 = { 8d4c2410 6a?? 6a?? 51 56 6a?? 6a?? 68???????? ffd0 }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 8d 4c 24 10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | LEA ECX, [esp + 0x10]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ECX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ESI<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 6a ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 68 ?? ?? ?? ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | PUSH (address of RSA string)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // ff d0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | CALL EAX<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; condition:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any of them<br><br>}<br><br>rule xor_decoder_functions {<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; strings:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Functions 402e00 and 402f00 both appear to contain a xor-decoding loop<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 402e00<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $code_xor_loop_1 = { 0f a4 ce ?? 0f ac d5 ?? c1 e1 ?? c1 ea ?? 0b cd 0b f2 99 33 c8 }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0f a4 ce ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHLD ESI, param_1, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0f ac d5 ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHRD EBP, EDX, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // c1 e1 ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHL param_1, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // c1 ea ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHR EDX, 0x19<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0b cd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | OR param_1, EBP<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0b f2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | OR ESI, EDX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 99&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | CDQ<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 33 c8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | XOR param_1, EAX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 402f00<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $code_xor_loop_2 = { 0f a4 ce ?? c1 ea ?? 0b f2 c1 e1 ?? 0b c8 0f be c3 8a 1f 99 33 c8 }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0f a4 ce ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHLD ESI, param_1, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // c1 ea ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHR EDX, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0b f2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | OR ESI, EDX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // c1 e1 ??&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | SHL, param_1, ??<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0b c8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | OR param_1, EDX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 0f be c3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | MOVSX EAX, BL<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 8a 1f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | BL, byte ptr [EDI]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 99&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | CDQ<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // 33 c8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | XOR param_1, EAX<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; condition:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; any of them<br><br>}<br><br>rule win_BlackSuit_manual {<br><br>&nbsp; &nbsp; meta:<br>&nbsp; &nbsp; &nbsp; &nbsp; author = "CVH - Raleigh"<br>&nbsp; &nbsp; &nbsp; &nbsp; date = "2024-07-12"<br>&nbsp; &nbsp; &nbsp; &nbsp; version = "1"<br>&nbsp; &nbsp; &nbsp; &nbsp; description = "Detects win.BlackSuit. Rules were manually constructed and results should not be considered conclusive."<br>&nbsp; &nbsp; &nbsp; &nbsp; malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.BlackSuit"<br><br>&nbsp; &nbsp; strings:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Somehow keeps this in plaintext, although in UTF-16<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $string_readme = "readme.BlackSuit.txt" nocase wide ascii<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // RSA key for encrypting AES encryption key present in plaintext<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $string_rsa_key = "BEGIN RSA PUBLIC KEY" nocase wide ascii<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Unusual debug strings<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $string_debug_1 = ".rdata$voltmd"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $string_debug_2 = ".rdata$zzzdbg"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Relevant functions calls<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $import_1 = "MultiByteToWideChar"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $import_2 = "EnterCriticalSection"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $import_3 = "GetProcessHeap"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp; &nbsp; condition:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; (is_executable and $string_readme)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Or<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ($string_readme and<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (obfuscates_dlls or calls_rsa_function or xor_decoder_functions)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2 of (obfuscates_dlls, calls_rsa_function, xor_decoder_functions)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 of (obfuscates_dlls, calls_rsa_function, xor_decoder_functions) and any of them<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>}</td> </tr> </tbody> </table> <h2><strong>Mitigations</strong></h2> <h3>Network Defenders</h3> <p>The FBI and CISA recommend network defenders implement the mitigations below to improve your organization’s cybersecurity posture based on BlackSuit actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s&nbsp;<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p> <ul> <li><strong>Implement a recovery plan</strong>to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).</li> <li><strong>Require all accounts</strong> with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with <a href="https://pages.nist.gov/800-63-3/" title="Digital Identity Guidelines">National Institute for Standards and Technology (NIST) standards</a> for developing and managing password policies. <ul> <li>Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;</li> <li>Store passwords in hashed format using industry-recognized password managers;</li> <li>Add password user “salts” to shared login credentials;</li> <li>Avoid reusing passwords;</li> <li>Implement multiple failed login attempt account lockouts;</li> <li>Disable password “hints;”</li> <li>Refrain from requiring password changes more frequently than once per year.&nbsp;</li> <li><strong>Note:</strong> NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.&nbsp;</li> <li>Require administrator credentials to install software.</li> </ul> </li> <li><strong>Keep all operating systems, software, and firmware up to date [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MitigatingKnownVulnerabilities1E" title="Mitigating Known Vulnerabilities (1.E)">CPG 1.E</a><strong>].</strong> Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.</li> <li><strong>Require Phishing-Resistant multifactor authentication to administrator accounts [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#PhishingResistantMultifactorAuthenticationMFA2H" title="Phishing-Resistant Multifactor Authentication (MFA) (2.H)">CPG 2.H</a><strong>],</strong> and require standard MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.&nbsp;</li> <li><strong>Segment networks [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F" title="Network Segmentation (2.F)">CPG 2.F</a><strong>]</strong> to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.&nbsp;</li> <li><strong>Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectingRelevantThreatsandTTPs3A" title="Detecting Relevant Threats and TTPs (3.A)">CPG 3.A</a><strong>].</strong> To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.&nbsp;</li> <li><strong>Install, regularly update, and enable real time detection for antivirus</strong> software on all hosts.</li> <li><strong>Implement Secure Logging Collection and Storage Practices [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#LogCollection2T" title="Log Collection (2.T)">CPG 2.T</a><strong>]. Learn more on logging best practices by referencing&nbsp;</strong><a href="https://www.cisa.gov/resources-tools/services/logging-made-easy" title="Logging Made Easy">CISA’s Logging Made Easy</a><strong> resources.</strong></li> <li><strong>Review domain controllers, servers, workstations, and active directories</strong> for new and/or unrecognized accounts.</li> <li><strong>Audit user accounts&nbsp;</strong>with administrative privileges and configure access controls according to the principle of least privilege.</li> <li><strong>Disable unused ports.</strong></li> <li><strong>Implement and Enforce Email Security Policies [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#EmailSecurity2M" title="Email Security (2.M)">CPG 2.M</a><strong>].</strong></li> <li><strong>Disable Macros by Default [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DisableMacrosbyDefault2N" title="Disable Macros by Default (2.N)">CPG 2.N</a><strong>].</strong></li> <li><strong>Consider adding an email banner to emails</strong> received from outside your organization.</li> <li><strong>Disable hyperlinks in received emails.</strong></li> <li><strong>Implement time-based access for accounts set at the admin level and higher.</strong> For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.&nbsp;</li> <li><strong>Disable command-line and scripting activities and permissions.&nbsp;</strong>Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.&nbsp;</li> <li><strong>Maintain offline backups of data, and regularly maintain backup and restoration [</strong><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MitigatingKnownVulnerabilities1E" title="System Backups (2.R)">CPG 2.R</a><strong>].&nbsp;</strong>By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.&nbsp;</li> <li><strong>Ensure all backup data is encrypted,</strong> immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.</li> </ul> <h3>Software Manufacturers</h3> <p>The above mitigations apply to enterprises and critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of the majority of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of &lt;identified or exploited issues<em> (e.g.,&nbsp;</em>misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team)&gt;:</p> <ul> <li><strong>Embed security into product architecture</strong> throughout the entire software development lifecycle (SDLC).</li> <li><strong>Mandate MFA, </strong><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA"><strong>ideally phishing-resistant</strong></a><strong> MFA, for privileged users</strong> and make MFA a default, rather than opt-in, feature.</li> </ul> <p>These mitigations align with tactics provided in the joint guide <a href="https://www.cisa.gov/sites/default/files/2023-10/Shifting-the-Balance-of-Cybersecurity-Risk-Principles-and-Approaches-for-Secure-by-Design-Software.pdf" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software">Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software</a>. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.</p> <p>For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design</a> webpage.</p> <h2><strong>Validate Security Controls</strong></h2> <p>In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&amp;CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&amp;CK techniques described in this advisory.</p> <p>To get started:</p> <ol> <li>Select an ATT&amp;CK technique described in this advisory (see<strong>&nbsp;Table 18 –&nbsp;Table 23</strong>).</li> <li>Align your security technologies against the technique.</li> <li>Test your technologies against the technique.</li> <li>Analyze your detection and prevention technologies’ performance.</li> <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li> <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li> </ol> <p>The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&amp;CK techniques identified in this advisory.</p> <h2><strong>Resources</strong></h2> <ul> <li><a href="https://www.stopransomware.gov/" title="#StopRansomware">Stopransomware.gov</a> is a whole-of-government approach that gives one central location for ransomware resources and alerts.</li> <li>Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.<br><strong>Note:</strong> The joint Ransomware Guide provides preparation, prevention, and mitigation best practices as well as a ransomware response checklist.</li> <li>No-cost cyber hygiene services:&nbsp;<a href="https://www.cisa.gov/cyber-hygiene-services" title="Cyber Hygiene Services">Cyber Hygiene Services</a> and&nbsp;<a href="https://github.com/cisagov/cset/releases/tag/v10.3.0.0" title="Ransomware Readiness Assessment">Ransomware Readiness Assessment</a>.</li> </ul> <h2><strong>Reporting</strong></h2> <p>Your organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.</p> <p>The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with BlackSuit actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.</p> <p>Additional details of interest include: a targeted company point of contact, status, and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.</p> <p>The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (<a href="mailto:SayCISA@cisa.dhs.gov%20" title="Email CISA">SayCISA@cisa.dhs.gov</a> or by calling 1-844-Say-CISA (1-844-729-2472).</p> <h2><strong>Disclaimer</strong></h2> <p>Your organization has no obligation to respond or provide information in response to this product. If, after reviewing the information provided, your organization decides to provide information to the authoring agencies, it must do so consistent with applicable state and federal law.</p> <p>The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.</p> <h2><strong>Acknowledgements</strong></h2> <p>The DFIR Report contributed to this advisory.</p> <h2><strong>Version History</strong></h2> <p><strong>January 31, 2023:</strong> Initial Release (Royal Ransomware)<br><strong>November 13, 2023:</strong> First Update (Royal Ransomware)<br><strong>August 7, 2024:</strong> Updated title from “Royal Ransomware” to “BlackSuit Ransomware”; updates noted throughout.<br><strong>August 14, 2024:</strong> Updated STIX files<br><strong>August 19, 2024:</strong> Updated STIX files<br><strong>August 27, 2024:</strong> Updated STIX files</p> </div> </div> </div> <div class="l-constrain l-page-section--rich-text"> <div class="l-page-section__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p>This product is provided subject to this&nbsp;<a href="/notification" rel="nofollow noopener" target="_blank" title="Follow link">Notification</a>&nbsp;and this&nbsp;<a href="/privacy-policy" rel="nofollow noopener" target="_blank" title="Follow link">Privacy &amp; Use</a>&nbsp;policy.</p></div></div> </div> </div> </div> <div class="l-full__footer"> <div class="l-page-section l-page-section--tags l-page-section--rich-text"> <div class="l-constrain"> <div class="l-page-section__content"> <h3>Tags</h3> <div class="c-field"> <strong>Audience</strong>: Educational Institutions </div> <div class="c-field"> <strong>Co-Sealers and Partners</strong>: Federal Bureau of Investigation </div> <div class="c-field"> <strong>MITRE ATT&amp;CK TTP</strong>: Command and Control (TA0011), Defense Evasion (TA0005), Impact (TA0040), Initial Access (TA0001), Privilege Escalation (TA0004), Resource Development (TA0042) </div> <div class="c-field"> <strong>Sector</strong>: <a href="/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/communications-sector" hreflang="en">Communications Sector</a>, <a href="/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/critical-manufacturing-sector" hreflang="en">Critical Manufacturing Sector</a>, <a href="/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/healthcare-and-public-health-sector" hreflang="en">Healthcare and Public Health Sector</a> </div> <div class="c-field"> <strong>Topics</strong>: <a href="/topics/cyber-threats-and-advisories">Cyber Threats and Advisories</a>, <a href="/topics/cyber-threats-and-advisories/incident-detection-response-and-prevention">Incident Detection, Response, and Prevention</a>, <a href="/topics/cyber-threats-and-advisories/malware-phishing-and-ransomware">Malware, Phishing, and Ransomware</a> </div> </div> </div> </div> <div class="l-constrain"> <div class="l-page-section--rich-text"> <div class="l-page-section__content"> <div class="c-product-survey l-page-section--tags l-page-section--rich-text"> <div class="c-product-survey__top-bar"></div> <div class="c-product-survey__content-area"> <div class="c-product-survey__icon"></div> <div class="c-product-survey__text-area"> <h2>Please share your thoughts</h2> <p>We recently updated our anonymous <a href="https://cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" target="_blank">product survey</a>; we’d welcome your feedback.</p> </div> </div> </div> </div> </div> </div> <div class="c-view c-view--detail-page-related-content c-view--display-block_2 view js-view-dom-id-ebaaf1cd2eee736c6ee03ef652034c217d7cb14c3cfbea82fbb8672afa3aa5b0 c-collection c-collection--blue c-collection--two-column"> <div class="l-constrain"> <div class="c-collection__row"> <div class="c-collection__content"> <h2 class="c-collection__title"><span class="c-collection__title-wrap">Related Advisories</span></h2> </div> <div class="c-collection__cards"> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2024-10-16T12:00:00Z">Oct 16, 2024</time> </div> <div class="c-teaser__meta">Cybersecurity Advisory | AA24-290A</div> </div> <h3 class="c-teaser__title"> <a href="/news-events/cybersecurity-advisories/aa24-290a" target="_self"> <span>Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations</span> </a> </h3> </div> </div> </article> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2024-09-05T12:00:00Z">Sep 05, 2024</time> </div> <div class="c-teaser__meta">Cybersecurity Advisory | AA24-249A</div> </div> <h3 class="c-teaser__title"> <a href="/news-events/cybersecurity-advisories/aa24-249a" target="_self"> <span>Russian Military Cyber Actors Target US and Global Critical Infrastructure</span> </a> </h3> </div> </div> </article> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2024-08-29T12:00:00Z">Aug 29, 2024</time> </div> <div class="c-teaser__meta">Cybersecurity Advisory | AA24-242A</div> </div> <h3 class="c-teaser__title"> <a href="/news-events/cybersecurity-advisories/aa24-242a" target="_self"> <span>#StopRansomware: RansomHub Ransomware</span> </a> </h3> </div> </div> </article> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2024-08-28T12:00:00Z">Aug 28, 2024</time> </div> <div class="c-teaser__meta">Cybersecurity Advisory | AA24-241A</div> </div> <h3 class="c-teaser__title"> <a href="/news-events/cybersecurity-advisories/aa24-241a" target="_self"> <span>Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations</span> </a> </h3> </div> </div> </article> </div> </div> </div> </div> </div> </div> </div> </main> <footer class="usa-footer usa-footer--slim" role="contentinfo"> <div class="usa-footer__return-to-top"> <div class="l-constrain"> <a href="#">Return to top</a> </div> </div> <div class="usa-footer__upper"> <div class="l-constrain"> <ul class="c-menu c-menu--footer-main"> <li class="c-menu__item"> <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a> </li> <li class="c-menu__item"> <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a> </li> <li class="c-menu__item"> <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources &amp; Tools</a> </li> <li class="c-menu__item is-active-trail"> <a href="/news-events" class="c-menu__link js-top-level is-active-trail" aria-current="false" data-drupal-link-system-path="node/7332">News &amp; Events</a> </li> <li class="c-menu__item"> <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a> </li> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a> </li> </ul> </div> </div> <div class="usa-footer__main"> <div class="l-constrain"> <div class="usa-footer__main-row"> <div class="usa-footer__brand"> <a class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage"> <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span> </a> </div> <div class="usa-footer__contact"> <ul class="c-menu c-menu--social"> <li class="c-menu__item"> <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a> </li> <li class="c-menu__item"> <a href="https://twitter.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">Twitter</a> </li> <li class="c-menu__item"> <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a> </li> <li class="c-menu__item"> <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a> </li> <li class="c-menu__item"> <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a> </li> <li class="c-menu__item"> <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a> </li> </ul> <div class="usa-footer__contact-info"> <span>CISA Central</span> <a href="tel:1-844-Say-CISA">1-844-Say-CISA</a> <a href="mailto:SayCISA@cisa.dhs.gov">SayCISA@cisa.dhs.gov</a> </div> </div> </div> </div> </div> <div class="usa-footer__lower"> <div class="l-constrain"> <div class="usa-footer__lower-row"> <div class="usa-footer__lower-left"> <div class="c-dhs-logo"> <div class="c-dhs-logo__seal">DHS Seal</div> <div class="c-dhs-logo__content"> <div class="c-dhs-logo__url">CISA.gov</div> <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div> </div> </div> <ul class="c-menu c-menu--footer"> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a> </li> <li class="c-menu__item"> <a href="/oedia" title="Equal Opportunity &amp; Accessibility" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21462">Equal Opportunity &amp; Accessibility</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a> </li> <li class="c-menu__item"> <a href="/no-fear-act" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21494">No FEAR Act</a> </li> <li class="c-menu__item"> <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a> </li> <li class="c-menu__item"> <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a> </li> <li class="c-menu__item"> <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a> </li> <li class="c-menu__item"> <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a> </li> <li class="c-menu__item"> <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a> </li> <li class="c-menu__item"> <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a> </li> </ul> </div> <div class="usa-footer__lower-right"> <iframe src="https://www.dhs.gov/ntas/" name="National Terrorism Advisory System" title="National Terrorism Advisory System" width="170" height="180" scrolling="no" frameborder="0" seamless border="0" ></iframe> </div> </div> </div> </div> </footer> </div> </div> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?snj5wy"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?snj5wy"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?snj5wy"></script> <script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DHS&amp;subagency=CISA&amp;yt=true" id="_fed_an_ua_tag"></script> <script src="/modules/contrib/extlink/js/extlink.js?v=10.3.6"></script> <script src="/modules/contrib/ckeditor_accordion/js/accordion.frontend.min.js?snj5wy"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/teaser.es6.js?snj5wy"></script> <script src="/modules/contrib/responsive_tables_filter/js/tablesaw.min.js?v=1.x"></script> <script src="/modules/contrib/responsive_tables_filter/js/tablesaw-init.js?v=1.x"></script> <script src="/modules/contrib/responsive_tables_filter/js/Drupal/ajaxComplete.js?v=1.x"></script> <script src="/modules/contrib/responsive_tables_filter/js/customizations.js?v=1.x"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/file.es6.js?snj5wy"></script> </body> </html>