BlackSuit attacks Octapharma Plasma
Incident Date:
April 24, 2024
Overview
Title
BlackSuit attacks Octapharma Plasma
Victim
Octapharma Plasma
Attacker
Black Suit
Location
First Reported
April 24, 2024
The BlackSuit Ransomware Gang Strikes Octapharma Plasma
Attack Details
The BlackSuit ransomware gang has allegedly attacked Octapharma Plasma and exfiltrated a wealth of data, including data of donors, laboratory data, employee data, and financial/business data. The company was forced to shut down over 150 of its centers late last week. Octapharma Plasma collects, tests and supplies human blood plasma for manufacture into life-saving therapies. It operates more than 190 donation centres in 35 states.
BlackSuit Ransomware Group
BlackSuit is a recently emerged ransomware group and strain that bears a striking resemblance to the Royal ransomware gang, the successor of the infamous Russian-linked Conti operation. Previous reports have been made on the Windows and Linux variants of Royal. Similar to Royal, BlackSuit is known for targeting both Windows and Linux systems. The YARA rules for the Linux variant of BlackSuit also match samples of the Royal Linux variant.
Similarities with Royal Ransomware
It has been stated that Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool. Although BlackSuit utilizes command line arguments that function similarly to those used by Royal, the strings employed in the arguments differ. Moreover, BlackSuit uses extra arguments that are not present in Royal ransomware.
Comparison of Windows Variants
Regarding the 32-bit Windows variants of BlackSuit and Royal ransomware families, researchers noted 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff. While BlackSuit and Royal Windows variants use different argument strings, the purposes of these arguments are similar. Both BlackSuit and Royal utilize OpenSSL's AES for encryption and leverage comparable intermittent encryption techniques for fast and efficient encryption of victim files.
Ransom Note and Demands
Once the files are encrypted on a victim machine, BlackSuit appends the .blacksuit extension to encrypted files and presents its ransom note. The ransom note contains the ransomware's TOR chat site and a unique ID for each affected victim. BlackSuit threat actors employ a leaks site and a double extortion model, demanding ransom for unlocking files and not leaking stolen information.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.