Healthcare Under Siege: The Rise of BlackSuit Ransomware”

• From Brute Force to Data Leaks — Unmasking Their Tactics and Ties

Out of the darkness of the dark web, a new and formidable group of cyber criminals has emerged and is creating havoc within the healthcare industry. BlackSuit first showed its head in April 2023, demonstrating its extortion capabilities by encrypting and exfiltrating data and hosting public data leak sites. It threatened its victims if BlackSuit’s demands were not met.

The Health Sector Cybersecurity Coordination Center (HC3) reported last November that BlackSuit would be a “credible threat” to the healthcare industry. Still, they are known to target other industries, such as business technology and manufacturing, as well as the government sectors. This group is known to have ties to other cybercrime organizations, such as Royal and Conti ransomware.

This shadowy organization is a private ransomware operation. Its operators are likely to have much experience because of their ties to other bad operators, such as the hacker groups Conti and Royal, known to have experienced and skilled operators and are a polished organization operating for a long time.

BlackSuit has been operating since the spring of 2023 and has hurt the healthcare industry. It uses a double extortion method, first encrypting data and then exfiltrating it, and threatens to release the data if the ransom is not paid. As of last month, BlackSuit has been suspected of launching attacks against a radiology service provider that provides scanning and radiology services for over one thousand hospitals and healthcare systems. Patients were forcibly turned away as hospitals were forced to shut down systems, significantly disrupting valuable services.

Healthcare organizations are advised to harden their cybersecurity stance. Preparations for ransomware attacks should be a regular feature of any cybersecurity defense methodologies, and scheduled updates to security protocols should also be performed.

The Japanese media giant, Kadokawa, was the victim of a massive data leak after a ransomware attack crippled their system. Data was stolen, including information for contracts, all employees’ personal information, and business partners’ information. BlackSuit accessed 1.5 TB of Kadokawa’s data and published some of the stolen data while threatening to release more information if the ransom was not paid. Kadokawa has not confirmed or denied that they have paid the ransom. The attack occurred in June and targeted servers in the data center. The video posting site Niconico, one of the largest in the country, had to shut down its live streaming services.

This group’s attack method is nothing new. They used brute force to try various passwords and key combinations. Once inside, they used lateral movement to move to different systems and find more valuable data. The attackers used PsExec, a legitimate Windows tool, to move laterally in the network. This allowed them to execute commands on other systems within the network. Unauthorized data transfers to external locations were made using exfiltration and the File Transfer Protocol (FTP).

Organizations should implement secure offsite backups, update their system patches, and implement network segmentation and multifactor authentication. Another part of mitigation should be employee education. Uneducated employees, through phishing emails and social engineering, provide a large doorway to ransomware cybercriminals. Mitigating against Kerberoasting is simple. Strong password policies, service account management, and implementing monitoring to detect abnormal Kerberos ticket requests are but a few of the steps you can take for a safer environment against cyber attacks.