uTalk

thrive

Member

Registered: 2023-01-04

Posts: 1,974

Striking similarities between new Linux ransomware strain BlackSuit

Significant similarities between a new ransomware family called Royal and BlackSuit have been discovered through analysis of the Linux version of the latter.

An "extremely high degree of similarity" was found between Royal and BlackSuit, according to Trend Micro, which examined an x64 VMware ESXi version aimed at Linux machines.

In reality, according to Trend Micro researchers, "they're nearly identical, with 98 percent similarities in functions, 99 point five percent similarities in blocks, and 98 point nine percent similarities in jumps based on BinDiff, a comparison tool for binary files.".

Based on BinDiff, a comparison of the Windows artifacts revealed a 93.2% similarity in functions, a 99.3% similarity in basic blocks, and a 98.4% similarity in jumps.

BlackSuit first came to light in early May 2023 when Palo Alto Networks Unit 42 drew attention to its capacity to target both Windows and Linux hosts.

Similar to other ransomware organizations, it uses a double extortion scheme in which, in exchange for money, it steals and encrypts private information from a network that has been compromised. On its dark web leak site, information related to just one victim is listed.

According to the most recent Trend Micro research, BlackSuit and Royal both use OpenSSL's AES encryption and employ similar intermittent encryption techniques to speed up the encryption process.

Despite the overlaps, BlackSuit uses more command-line options and stays away from a different list of files with particular extensions when enumerating and encrypting data.

The emergence of BlackSuit ransomware (with its resemblances to Royal) "indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family," Trend Micro said.

It's also possible that "BlackSuit emerged from a splinter group within the original Royal ransomware gang," according to the cybersecurity firm, given that Royal is an offshoot of the former Conti team.

The development serves as yet another reminder of the ransomware ecosystem's ongoing flux, even as new threat actors appear to modify the tools already in use and make illegal gains.

This includes a brand-new ransomware-as-a-service (RaaS) project known as NoEscape, which, according to Cyble, enables its operators and affiliates to use triple extortion techniques to increase the impact of a successful attack.

Triple extortion is a three-pronged strategy that combines data exfiltration, encryption, and distributed denial-of-service (DDoS) attacks against the targets in an effort to interfere with their operations and pressure them into paying the ransom.

According to Cyble, the DDoS service costs an additional $500,000, but the operators impose restrictions that prevent affiliates from attacking targets in the Commonwealth of Independent States (CIS) nations.

crpuusd

Member

From: Blockchain

Registered: 2022-12-13

Posts: 1,586

Re: Striking similarities between new Linux ransomware strain BlackSuit

https://i.imgur.com/dJFetcZ.png
Significant similarities between a new ransomware family called Royal and BlackSuit have been discovered through analysis of the Linux version of the latter.

An "extremely high degree of similarity" was found between Royal and BlackSuit, according to Trend Micro, which examined an x64 VMware ESXi version aimed at Linux machines.

In reality, according to Trend Micro researchers, "they're nearly identical, with 98 percent similarities in functions, 99 point five percent similarities in blocks, and 98 point nine percent similarities in jumps based on BinDiff, a comparison tool for binary files.".

Based on BinDiff, a comparison of the Windows artifacts revealed a 93.2% similarity in functions, a 99.3% similarity in basic blocks, and a 98.4% similarity in jumps.

BlackSuit first came to light in early May 2023 when Palo Alto Networks Unit 42 drew attention to its capacity to target both Windows and Linux hosts.

Similar to other ransomware organizations, it uses a double extortion scheme in which, in exchange for money, it steals and encrypts private information from a network that has been compromised. On its dark web leak site, information related to just one victim is listed.

According to the most recent Trend Micro research, BlackSuit and Royal both use OpenSSL's AES encryption and employ similar intermittent encryption techniques to speed up the encryption process.

Despite the overlaps, BlackSuit uses more command-line options and stays away from a different list of files with particular extensions when enumerating and encrypting data.

The emergence of BlackSuit ransomware (with its resemblances to Royal) "indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family," Trend Micro said.

It's also possible that "BlackSuit emerged from a splinter group within the original Royal ransomware gang," according to the cybersecurity firm, given that Royal is an offshoot of the former Conti team.

The development serves as yet another reminder of the ransomware ecosystem's ongoing flux, even as new threat actors appear to modify the tools already in use and make illegal gains.

This includes a brand-new ransomware-as-a-service (RaaS) project known as NoEscape, which, according to Cyble, enables its operators and affiliates to use triple extortion techniques to increase the impact of a successful attack.

Triple extortion is a three-pronged strategy that combines data exfiltration, encryption, and distributed denial-of-service (DDoS) attacks against the targets in an effort to interfere with their operations and pressure them into paying the ransom.

According to Cyble, the DDoS service costs an additional $500,000, but the operators impose restrictions that prevent affiliates from attacking targets in the Commonwealth of Independent States (CIS) nations.

Its almost looks like a copyright and about the Ddos is freaking expensive and efficient. I will to know through ask more questions on this if you permit.

Last edited by crpuusd (2023-06-05 19:40:27)