Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue.
Read more…
Source: Trend Micro
Related:
- APT33 Mounts Focused, Highly Targeted Botnet Attacks Against U.S. Victims
November 14, 2019
The Iran-linked, espionage-focused advanced threat group known as APT33 has been spotted using more than a dozen obfuscated botnets to carry out narrowly targeted attacks against government and academic targets in the Middle East, the U.S. and Asia. Each botnet, linked to its own command-and-control (C2) server, comprises a small group of up to a dozen ...
- DDoS Attacks That Employ TCP Amplification Cause Network Congestion, Secondary Outages
November 14, 2019
Over the past month, threat actors have been using a relatively non-conventional approach to mount a flurry of distributed denial-of-service (DDoS) attacks: through TCP amplification. Security company Radware shared its observations on multiple campaigns involving Transmission Control Protocol (TCP) reflection attacks, specifically SYN-ACK reflection attacks, against companies across the world. The scope of the impact was ...
- McAfee antivirus software impacted by code execution vulnerability
November 12, 2019
Researchers have revealed a serious code execution vulnerability impacting all editions of McAfee software. On Tuesday, the SafeBreach Labs cybersecurity team said that CVE-2019-3648 can be used to bypass McAfee’s self-defense mechanisms, potentially leading to further attacks on a compromised system. The vulnerability exists due to a failure to validate whether or not loading DLLs have been signed, and a path ...
- Emotet resurgence packs in new binaries, Trickbot functions
November 6, 2019
Emotet, a Banking Trojan turned devastating modular threat, has returned with upgraded functions in a new wave of attacks. The malware, first discovered in 2014, has evolved over the past few years from a relatively basic, singular threat into a customizable modular package used to deploy additional payloads against financial institutions, the enterprise, and consumers worldwide. Emotet, believed to ...
- Kaspersky identifies mysterious APT mentioned in 2017 Shadow Brokers leak
November 5, 2019
In 2017, a mysterious group of hackers known as the Shadow Brokers published online a data dump called “Lost in Translation.” The data dump — believed to have been obtained from the US National Security Agency (NSA) — contained a collection of exploits and hacking tools, including the now-infamous EternalBlue, the exploit that provided the steam ...
- Buran Ransomware; the Evolution of VegaLocker
November 5, 2019
McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families ...