{"id":364,"date":"2024-09-25T10:28:48","date_gmt":"2024-09-25T10:28:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=364"},"modified":"2024-09-25T10:28:48","modified_gmt":"2024-09-25T10:28:48","slug":"best-practices-for-preventing-blacksuit-ransomware-infections","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=364","title":{"rendered":"Best Practices for Preventing BlackSuit Ransomware Infections"},"content":{"rendered":"
\n
\n
\n
\n
\n

Are you confident that your security tools are foolproof? Think again. BlackSuit ransomware is exploiting overlooked vulnerabilities, slipping through defenses even in <\/span>53 well-protected organizations<\/span><\/a>. This isn\u2019t just another cyber threat\u2014it\u2019s a sophisticated adversary that rewrites the rules.<\/span>\u00a0<\/span><\/p>\n

Your firewalls, antivirus, and strict protocols might not be enough to stop it. BlackSuit is engineered to find gaps you didn\u2019t know existed, bypassing even advanced security postures. Are you truly prepared for what\u2019s coming?<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

What Is Blacksuit Ransomware?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

BlackSuit<\/span> ransomware is a type of malware variant designed to encrypt victim system files, <\/span>rendering<\/span> critical data breach. The attackers then demand a ransom in exchange for the decryption key, while some threat actors deploy a double extortion model, with ransomware threats of releasing the stolen data to the public if their demands are not met. The ransomware targets <\/span>mainly critical<\/span> sectors: <\/span>H<\/a><\/span>ealthcare<\/a>, <\/span>G<\/a><\/span>overnment<\/a>, <\/span>M<\/span>anufacturing, <\/span>E<\/span>ducation<\/span><\/a>, and <\/span>F<\/span>inance<\/span><\/a>, which has disastrous results in each of the sectors where disruptions have occurred.<\/span><\/span>\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

Key Recommendations: CISA and FBI’s Latest Guidance<\/h3>\n<\/div>\n<\/div>\n
\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tEmploy robust backup and recovery processes: Regularly back up data, keeping those backups disconnected from the main network.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tEnhance Segmenting of Networks: Segment the networks into smaller sections in order to contain the spread of ransomware.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tRegularly Update\/Patch Systems: Keep all software and systems current to close vulnerabilities.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tRegular Security Training: Employee training on how to identify phishing attacks, among other common attack vectors.<\/span><\/p><\/div>\n<\/div>\n

\n
\n

Is BlackSuit Ransomware a Rebrand of Another Group?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

BlackSuit<\/span> is believed to be a rebrand of the Royal <\/span>blacksuit<\/span> ransomware gang. Rebranding keeps ransomware groups out of the scrutiny of law enforcement agencies and their identity hidden. It also allows them to continue most of their malicious activities without being recognized by cybersecurity defenses so easily.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

What Are the Implications of This Rebranding for Cybersecurity Efforts?<\/h3>\n<\/div>\n<\/div>\n
\n
\n

The rebrand to BlackSuit hints at business as usual from the Royal group, for which readaptation of cybersecurity through updates in threat intelligence and monitoring for new indicators of compromise is required.<\/span>\u00a0<\/span><\/p>\n

The Royal ransomware group, operating now as BlackSuit, continued to target healthcare organizations. This ransomware attack encrypted an entire network of a hospital, which had to divert emergency patients to other facilities.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

How Blacksuit ransomware is different from other variants?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

BlackSuit<\/span> ransomware, while <\/span>similar to<\/span> other examples of ransomware variants in its primary function of encrypting files and demanding a ransom, <\/span>exhibits<\/span> several unique characteristics that set it apart:<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\tFunctionBlacksuit RansomwareOther Variants\t\t\t\t<\/p>\n

\t\t\t\t\t1. Intermittent EncryptionEncrypts files in stages, only encrypting a portion at a time.Often encrypt files in a continuous manner.2. Partial EncryptionEncrypts only a part of each file, not the entire content.Typically encrypt the entire file. 3. Dual-Platform TargetingInfects both Windows and Linux systems.Primarily target Windows or Linux systems.4. Similarities to Royal RansomwareClosely related to the Royal ransomware family.May have different familial ties or be completely unrelated. 5. Evasion TechniquesEmploys techniques like intermittent and partial encryption to avoid detection.May use different evasion tactics, such as obfuscation or encryption of malicious code.6. Ransom NegotiationMay offer discounts or extended payment deadlines.May have different negotiation strategies or terms.7. Exfiltration of DataMay exfiltrate sensitive data<\/a> in addition to encrypting files. May or may not exfiltrate data.\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

BlackSuit Ransomware Analysis<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Let\u2019s<\/span> see what <\/span>you need to know about this strain to pre<\/span>vent cyber attackers from gaining access to <\/span>your critical infrastructure.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

How does Blacksuit Ransomeware work?<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Here\u2019s<\/span> a breakdown of how <\/span>BlackSuit<\/span> ransomware <\/span>operates<\/span>:<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

1. Distribution<\/h4>\n

BlackSuit ransomware spreads through your several channels such as email attachments carrying viruses, torrent sites, ads with malware, and Trojan horses.<\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

2. Execution<\/h4>\n

The ransomware starts encrypting your files after it gets into your system. It uses FindFirstFileW() and FindNextFileW() API functions to list all the files and folders on the computer. <\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

3. Encryption<\/h4>\n

BlackSuit ransomware encrypts specific file types using a tough encryption method, like the Advanced Encryption Standard (AES). It changes the names of your encrypted files by adding “.blacksuit” at the end. <\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

4. Ransom note<\/h4>\n

BlackSuit ransomware leaves a ransom note called “README.BlackSuit.txt” in every folder it goes through after encrypting your files. This note is how the attackers tell victims to pay money to get the decryption key.<\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

5. Desktop wallpaper change<\/h4>\n

BlackSuit ransomware also changes the infected computer’s desktop background showing a message or picture about the ransomware attack.<\/p>\n<\/div>\n

<\/span>
\n <\/span>
\n <\/span><\/p>\n

\n
\n

\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n

6. Data loss and extortion<\/h4>\n

You can’t open or use the encrypted files without the decryption key. The attackers might say they’ll share or sell the stolen data if they don’t get paid.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
Stop Ransomware: Thwart Attackers with Fidelis<\/div>\n<\/div>\n<\/div>\n
\n
\n

Don\u2019t Let Ransomware Lock You Down with our advanced solutions<\/em><\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tReshape the Attack Surface<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tEnd-to-end Ransomware Protection<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tAutomate Detection and Response<\/span><\/p><\/div>\n<\/div>\n

\n
\n
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDownload Now<\/span>
\n\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

How to identify if your system has been infected with BlackSuit ransomware?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

If any of these examples of ransomware attack symptoms are felt or noticed, it is highly needed to act immediately by isolating the compromised system from further lateral movement onto your network. Some blacksuit ransomware iocs include:<\/span>\u00a0<\/span><\/p>\n

File Extensions:<\/span> Encrypted files by <\/span>BlackSuit ransomware have the extension \u201c.black suit\u201d<\/strong><\/em> appended. A file named \u201cdocument.doc\u201d<\/strong><\/em> would become \u201cdocument.doc.black suit\u201d<\/strong><\/em>.<\/span>\u00a0<\/span>Ransom Note:<\/span> BlackSuit ransomware leaves a ransom note dubbed \u201cREADME.BlackSuit.txt\u201d<\/strong><\/em> in every directory containing encrypted files. This note explains the ransom demands, claiming your files are secured on some remote server.<\/span>\u00a0<\/span>Inaccessible Files:<\/span> If you cannot open or access your files, or they appear corrupted, <\/span>BlackSuit ransomware encryption might be the culprit.<\/span>\u00a0<\/span>Desktop Changes:<\/span> The ransomware might alter your desktop wallpaper with messages related to the attack, indicating system compromise.<\/span>\u00a0<\/span>Shadow Copy Deletion:<\/span> BlackSuit ransomware attempts to delete Volume Shadow Copies to hinder file recovery. Missing system restore points could be a sign of infection.<\/span>\u00a0<\/span>\u202f<\/span>Unusual Activity:<\/span> Monitor for abnormal network traffic or system behavior like unexpected file changes or unauthorized access attempts. These can indicate a ransomware infection.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

What are the latest BlackSuit Ransomware TTPs (Tactics, Techniques, and Procedures)?<\/h3>\n<\/div>\n<\/div>\n
\n
\n

1. Initial Access<\/h4>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tPhishing Emails:<\/strong> The most common method involves deceiving users into providing passwords or downloading malware.<\/span>\u00a0<\/span> RDP Compromise:<\/strong> The use of weak or stolen RDP credentials to gain unwanted access, which accounts for around 13.3% of initial access instances.<\/span> VPN Brute-Force Attack:<\/strong> Poorly configured VPN configurations allow brute-force attacks to get access using genuine credentials, demonstrating the importance of strong authentication.<\/span> Public-Facing Application Exploit:<\/strong> Exploiting vulnerabilities in internet-connected applications.<\/span> Initial Access Brokers:<\/strong> Collaborate with third-party sellers to provide access to infiltrated networks.<\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n

2. Data Exfiltration and Double Extortion<\/h4>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tRemove sensitive data before spreading ransomware.<\/span>\u00a0<\/span> Threaten to disclose stolen material on leak sites unless the ransom is paid.<\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n

3. Lateral Movement Tools<\/h3>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tRepurposing legitimate penetration testing tools like Cobalt Strike.<\/span>\u00a0<\/span>Utilizing tools like PsExec and Rubeus for lateral movement and privilege escalation.<\/span>\u00a0<\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n

4. Disabling Security Measures<\/h4>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tDisabling antivirus software and other security tools to evade detection.<\/span><\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n

5. Partial Encryption Technique<\/h4>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tEmploying a partial encryption approach to avoid detection and speed up encryption.<\/span><\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n

6. Command and Control (C2) Communication<\/h4>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tCommunicating with their C2 infrastructure to download <\/span>additional<\/span> tools and <\/span>maintain<\/span> control.<\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

Victims and Data Leaks: The Toll of BlackSuit Ransomware<\/h2>\n<\/div>\n<\/div>\n
\n
\n

In the past year, <\/span>BlackSuit<\/span> has claimed dozens of victims and has leaked stolen data from attacks against 53 organizations; leaks which may include sensitive personal and financial information that could lead to further harm both for the affected people and organizations.<\/span><\/p>\n

Data Leak Consequences<\/span>\u00a0<\/span><\/p>\n

Public disclosure of stolen information further coerces blacksuit ransomware victims to pay the ransom. This might be attributed to reputational damage, financial loss, and even legal and regulatory repercussions.<\/span>\u00a0<\/span><\/p>\n

Of particular note, according to a recent report<\/span>,<\/span> an observed high for BlackSuit of about $18 million, with an average initial demand of about $2.5 million. The average ransom payment facilitated was around $500,000.<\/span>\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

Extortion Tactics: How BlackSuit Ransomware Tightens Its Grip<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

What Extortion Tactics Does <\/span>BlackSuit<\/span> Ransomware Use?<\/span><\/span><\/strong><\/p>\n<\/div>\n<\/div>\n

\n
\n

BlackSuit<\/span> ransomware <\/span>operates<\/span> a multi-pronged extortion model: encrypting victim data, exfiltrating sensitive information of the victim, and hosting public data leak sites.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

How Does Encryption Impact the Victims?<\/span><\/span><\/strong><\/p>\n<\/div>\n<\/div>\n

\n
\n

Encryption <\/span>can <\/span>render<\/span> the <\/span>data <\/span>inaccessible<\/span>,<\/span> causing significant <\/span>operational disruptions<\/span> to <\/span>the <\/span>affected<\/span> company<\/span>.<\/span> This results in considerable downtime<\/span>, <\/span>leading <\/span>to<\/span> massive losses<\/span>.<\/span> Victims <\/span>are <\/span>often <\/span>compelled to<\/span> pay the ransom in hopes of recovering <\/span>critical<\/span> data.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

What Is the Role of Data Exfiltration in Their Strategy?<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n<\/div>\n<\/div>\n

\n
\n

Data exfiltration involves stealing sensitive information from the victim systems. Later, this is used to further increase pressure by using stolen data to coerce the victims into paying the ransom.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

How Do Public Data Leak Sites Contribute to Their Extortion Tactics?<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n<\/div>\n<\/div>\n

\n
\n

They publish stolen information on open data leak sites if the victims do not agree to their demands <\/span>on<\/span> ransom. This public exposure could also be worse for the victims\u2019 reputation and operations, further motivating them to pay the ransom.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Case Study: <\/span><\/span><\/strong><\/em><\/p>\n

In April 2024, a <\/span>BlackSuit<\/span> ransomware attack was detected, which started by performing <\/span>Kerberoasting<\/span>. This was a kind of post-exploitation attack technique intended to capture a password hash of an Active Directory account that <\/span>possesses<\/span> a Service Principal Name (\u201cSPN\u201d) within the environment contributed by a customer. The attack thus caused key systems to be encrypted and exfiltration of sensitive data. Poor asset inventory and poor endpoint visibility plagued the organization affected, and this has driven demands for better cybersecurity.<\/span><\/span>\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

How can organizations defend against Black suit Ransomware Attacks?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Here are some of the blacksuit ransomware best practices from infecting your systems:<\/span>\u00a0<\/span><\/p>\n

Back Up Your Data Often<\/span>: Save important files to external drives or cloud storage. Make sure these backups aren\u2019t always connected to your network to keep them safe during an attack. This lets you get your data back without paying if you get infected.<\/span> Keep Everything Up to Date:<\/span> Make sure your operating system, programs, and antivirus are current. Updates often fix security holes that ransomware uses. Turn on automatic updates to get important fixes right away.<\/span> Watch Your Network:<\/span> Use tools to check your network traffic for weird patterns or talks with known bad servers. Spotting threats can help you stop them.<\/span> Train Your Team:<\/span> Teach your employees about staying safe online, like how to spot fake emails and avoid clicking on sketchy links or files. Regular training cuts down on successful attacks a lot, since many infections start because of human mistakes.<\/span> Use Two-Factor Authentication (2FA):<\/span> Adding 2FA makes your system safer by making it harder for attackers to get in even if they have someone\u2019s login info.<\/span> Network Segmentation:<\/span> Break up networks to stop malware from spreading. Keeping critical systems apart from general access networks helps companies contain infections and stop widespread damage.<\/span> Endpoint Detection and Response (EDR):<\/span> Put EDR solutions in place to watch network traffic and spot odd behavior right away.<\/span> Care with Email Attachments and Links:<\/span> Stay alert when opening email attachments or clicking links from people you don\u2019t know. Scam emails often spread ransomware, including BlackSuit ransomware.<\/span> Check and Limit User Permissions:<\/span> Cut down user access to the systems and data they need for their jobs. This least privilege rule lowers the risk of ransomware spreading through hacked accounts.<\/span> Advanced Threat Detection Tools: <\/span>Use top-notch threat detection and response tools to spot unusual activity that might signal a ransomware attack. These tools can send alerts and help tackle threats before they get worse.<\/span> Create an Incident Response Plan:<\/span> Have a clear plan ready that spells out what to do if ransomware hits. This should cover steps like isolating infected systems restoring from backups and telling the right authorities.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

How Can You Secure Your RDP Connections to Prevent BlackSuit Access<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Here\u2019s<\/span> how to fortify your remote desktop protocol <\/span>rdp<\/span> against <\/span>BlackSuit<\/span> ransomware attacks:<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tConfigure a VPN and keep RDP traffic unexposed to the internet. Make sure to implement multi-factor authentication in your VPN configuration.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tUse MFA: Utilize multi-factor authentication for further verification of logins. This can be completed through TOTP, push notifications, or even hardware tokens.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tRestrict RDP Access: RDP should be allowed to connect from specific, trusted IP addresses only. One of the options is enforcing a whitelist-a connections permits from permitted devices or networks only.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tImplement Strong Passwords: Use strong, complex passwords that are updated regularly. Passwords should be at least 12 characters and contain a mix of uppercase and lowercase letters, numbers, and special characters.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tChange the Default RDP Port: Change the default RDP port to prevent automated scanning. The problem is that it is not supposed to be used as the only security measure, since attackers can find the service.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tRestrict User Access: Only allow RDP access to users who have an actual business need for it. Users must be granted access on a least privilege basis. Users who no longer require access should be removed from the list of users with permission for RDP access.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tAccount Lockout: Enable account lockout to prevent ransomware brute-force attacks. Set a reasonable number of failed login attempts before an account is temporarily locked.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tFirewalls and Intrusion Detection: Include a firewall and intrusion detection to monitor and react to particular network attacks. Stay ahead of firewall rules changes on a regular basis and review IDS alerts for unusual events.<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tKeep Regular Updates and Patches: Always have your system updated with the latest patches to each software. This secures your server against any vulnerability that might be attacked.<\/span><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Fidelis Solutions available to Detect Blacksuit Ransomware<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Fidelis Security provides a full set of tools to shield against many types of ransomware threats. By zeroing in on early detection quick action, and control, Fidelis tools help protect your network setup and devices from new attacks.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n

Fidelis Network\u00ae<\/h3>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n

Fidelis\u2019 NDR solution gives a clear view of your network as it happens spotting odd behaviors that often go hand in hand with ransomware acts.<\/span><\/span><\/p>\n

Explore Fidelis\u2019 NDR Solution Features\u00a0<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n

Fidelis Endpoint\u00ae<\/h3>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n

Fidelis\u2019 EDR solution keeps an eye on devices non-stop cutting off ransomware-infected machines and stopping <\/span>it<\/span> from spreading.<\/span><\/p>\n

Explore Fidelis\u2019 EDR Solution Features\u00a0<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n

Fidelis Network Segmentation<\/h3>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n

Helps box in ransomware within your network keeping it in certain areas to cut down on damage.<\/span><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n

Fidelis Advanced Threat Detection<\/h3>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n

Uses <\/span>machine learning <\/span>and behavior analysis to spot encryption tries and warn you about ransomware threats before they get worse.<\/span><\/p>\n

Explore Fidelis\u2019 Advance Threat Detection features<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Frequently Ask Questions<\/h2>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n

How does BlackSuit’s partial encryption approach help evade detection?<\/h3>\n<\/div>\n
Reduces the likelihood of sending off any traditional security alerts.<\/span>It lets ransomware act quite surreptitiously by the time it becomes too late.<\/span><\/div>\n<\/div>\n
\n
\n

What steps can I take to protect against phishing emails from BlackSuit?<\/h3>\n<\/div>\n
Install advanced email filtering solutions.<\/span>\u00a0<\/span>Carry out regular phishing awareness and training of the staff concerning security.<\/span>Apply multi-factor authentication for email accounts.<\/span>Make use of threat intelligence in order to stay updated about any new phishing techniques.<\/span><\/div>\n<\/div>\n
\n
\n

How do BlackSuit actors communicate with their command and control infrastructure?<\/h3>\n<\/div>\n
Encrypted Channels:<\/strong> Securely communicate with C2 infrastructure (e.g., SSH tunnels).<\/span>Legitimate Tools:<\/strong> Blend in with normal network traffic (e.g., remote monitoring and management software).<\/span>Penetration Testing Tools:<\/strong> Create backdoor, execute tasks (e.g., Cobalt Strike).<\/span>Malware Derivatives:<\/strong> Aggregate and transfer data (e.g., Ursnif, Gozi).<\/span>Anonymous Communication:<\/strong> Obscure origin, complicate tracking (e.g., U.S. IP addresses, onion sites like \u201cblacksuitmarket.onion\u201d).<\/span>Lateral Movement:<\/strong> Move within network, deploy tools (e.g., RDP, PsExec).<\/span><\/div>\n<\/div>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

The post Best Practices for Preventing BlackSuit Ransomware Infections<\/a> appeared first on Fidelis Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Are you confident that your security tools are foolproof? Think again. BlackSuit ransomware is exploiting overlooked vulnerabilities, slipping through defenses even in 53 well-protected organizations. This isn\u2019t just another cyber threat\u2014it\u2019s a sophisticated adversary that rewrites the rules.\u00a0 Your firewalls, antivirus, and strict protocols might not be enough to stop it. BlackSuit is engineered to […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-364","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/364"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=364"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/364\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}