BlackSuit attacks UPC Technology Corporation

Incident Date:

April 16, 2024

World map

Overview

Title

BlackSuit attacks UPC Technology Corporation

Victim

UPC Technology Corporation

Attacker

Black Suit

Location

Taipei City, Taiwan

, Taiwan

First Reported

April 16, 2024

The BlackSuit Ransomware Gang Targets UPC Technology Corporation

Background

The BlackSuit ransomware gang has recently attacked UPC Technology Corporation, a chemical company under the MiTAC-Synnex Group. The MiTAC-Synnex Group is a global conglomerate with various listed companies operating in sectors such as chemical and materials, information technologies, distribution and fulfillment, and system integration and mobile solutions.

BlackSuit Ransomware Group

BlackSuit is a newly emerged ransomware group that shares similarities with the Royal ransomware gang, which is considered the successor of the notorious Russian-linked Conti operation. Previous reports have focused on the Windows and Linux variants of Royal, with BlackSuit now targeting both Windows and Linux systems.

Similarities with Royal Ransomware

YARA rules for the Linux variant of BlackSuit match samples of the Royal Linux variant, indicating a high degree of similarity between the two. According to the BinDiff comparison tool, Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps.

Technical Details

While BlackSuit and Royal utilize similar command line arguments, the strings used in these arguments differ. BlackSuit also incorporates additional arguments not found in Royal ransomware. For the 32-bit Windows variants of both ransomware families, researchers have observed similarities in functions, basic blocks, and jumps based on BinDiff analysis.

Encryption Techniques

Both BlackSuit and Royal ransomware use OpenSSL's AES for encryption and employ comparable intermittent encryption techniques to quickly and effectively encrypt victim files. Once files are encrypted, BlackSuit appends the .blacksuit extension to them and presents a ransom note containing instructions for payment and a unique victim ID.

Ransom Demands

BlackSuit threat actors follow a double extortion model, demanding payment for decrypting files and preventing the leak of stolen information. Victims are directed to a TOR chat site to communicate with the ransomware operators and facilitate the payment process.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.