Dirty App: BlackSuit Ransomware – How To Remove

BlackSuit ransomware emerged as a significant threat in the cybersecurity landscape from September 2022 to June 2023, sharing many characteristics with Royal ransomware but demonstrating enhanced capabilities. This dangerous malware not only encrypts your files but also exfiltrates data, extorts victims, and publishes sensitive information on a leak site if the ransom is not paid.

How BlackSuit Ransomware Operates

BlackSuit employs a double-extortion tactic, where it first steals your data and threatens to release it publicly before encrypting your files. Victims are initially compromised through phishing emails, one of the most common methods used by BlackSuit actors. Once they gain access, they disable antivirus software and begin exfiltrating large volumes of data. After completing these steps, the ransomware is deployed, locking your files behind the “.blacksuit” extension.

Ransom demands from BlackSuit actors are steep, typically ranging between $1 million to $10 million, with the largest demand recorded at $60 million. These payments are demanded in Bitcoin, and negotiations occur via a .onion URL provided after encryption, accessible only through the Tor browser. Victims have also reported receiving follow-up communications from the threat actors via phone or email, adding another layer of pressure.

BlackSuit Ransomware: Technical Details

The malware’s encryption process is particularly insidious due to its partial encryption technique, which allows the attacker to selectively encrypt portions of larger files, making it harder to detect and speeding up the process. Once inside a network, BlackSuit communicates with its command and control infrastructure using legitimate tools repurposed by the attackers, such as PuTTY and OpenSSH.

Indicators of Compromise (IOC)

BlackSuit leaves specific indicators of compromise (IOCs) in infected systems, including the creation of new admin users, deletion of shadow copies via the Windows Volume Shadow Copy service, and the removal of event logs to cover its tracks. It also plants malicious files in directories like C:\Temp\ and C:\ProgramData, and uses legitimate software to maintain persistence and control over the infected network.

How to Remove BlackSuit Ransomware

If your system has been infected by BlackSuit, immediate action is crucial to prevent further damage. Use a reputable anti-malware tool to scan and remove the ransomware. Unfortunately, decrypting files without paying the ransom is rare unless a decryption tool is publicly available or you have backups of your data. However, paying the ransom is not recommended due to the high risk of being scammed—many victims report not receiving the decryption tools even after payment.

Preventing Future Ransomware Infections

To protect yourself from BlackSuit and other ransomware threats, follow these best practices:

1. Download software only from legitimate sources – Avoid free file-hosting sites and suspicious websites.
2. Beware of phishing emails – Always verify the sender’s identity before opening attachments or clicking on links.
3. Keep your software updated – Regularly update your operating system and installed programs.
4. Use reputable antivirus software – Perform regular scans to detect and eliminate potential threats.
5. Backup your data – Regular backups can save you from losing critical information if your files are encrypted.