Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue.
Read more…
Source: Trend Micro
Related:
- Thunderbolt flaws affect millions of computers – even locking unattended devices won’t help
May 11, 2020
A Dutch researcher has detailed nine attack scenarios that work against all computers with Thunderbolt shipped since 2011 and which allow an attacker with physical access to quickly steal data from encrypted drives and memory. Researcher Björn Ruytenberg detailed the so-called Thunderspy attacks in a report published on Sunday, warning that the attacks work even when users ...
- North Korean hackers infect real 2FA app to compromise Macs
May 9, 2020
Hackers have hidden malware in a legitimate two-factor authentication (2FA) app for macOS to distribute Dacls, a remote access trojan associated with the North Korean Lazarus group. Dacls has been used to target Windows and Linux platforms and the recently discovered RAT variant for macOS borrows from them much of the functionality and code. The threat actor planted the ...
- A hacker group is selling more than 73 million user records on the dark web
May 9, 2020
A hacker group going by the name of ShinyHunters claims to have breached ten companies and is currently selling their respective user databases on a dark web marketplace for illegal products. The hackers ardarke the same group who breached last week Tokopedia, Indonesia’s largest online store. Hackers initially leaked 15 million user records online, for free, but ...
- Threat Brief: Maze Ransomware Activities
May 8, 2020
Since the beginning of the calendar year, Palo Alto Networks has detected an uptick in Maze ransomware samples across multiple industries. As a result, we’ve created this general threat assessment post on the Maze ransomware activities and a full visualization of these techniques can be viewed in the Unit 42 Playbook Viewer. Maze ransomware, a variant of ChaCha ...
- Naikon’s Aria
May 8, 2020
Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This ...
- SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
May 7, 2020
Focusing on one of the most active subsets of the global threat landscape, Palo Alto Networks Unit 42 tracks Nigerian cyber criminals involved in Business Email Compromise (BEC) activities under the name SilverTerrier. Over the past 90 days (Jan. 30 – Apr. 30), we have observed three SilverTerrier actors/groups launch a series of 10 COVID-19 themed ...