The BlackSuit Ransomware Gang Targets UPC Technology Corporation

Background

The BlackSuit ransomware gang has recently attacked UPC Technology Corporation, a chemical company under the MiTAC-Synnex Group. The MiTAC-Synnex Group is a global conglomerate with various listed companies operating in sectors such as chemical and materials, information technologies, distribution and fulfillment, and system integration and mobile solutions.

BlackSuit Ransomware Group

BlackSuit is a newly emerged ransomware group that shares similarities with the Royal ransomware gang, which is considered the successor of the notorious Russian-linked Conti operation. Previous reports have focused on the Windows and Linux variants of Royal, with BlackSuit now targeting both Windows and Linux systems.

Similarities with Royal Ransomware

YARA rules for the Linux variant of BlackSuit match samples of the Royal Linux variant, indicating a high degree of similarity between the two. According to the BinDiff comparison tool, Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps.

Technical Details

While BlackSuit and Royal utilize similar command line arguments, the strings used in these arguments differ. BlackSuit also incorporates additional arguments not found in Royal ransomware. For the 32-bit Windows variants of both ransomware families, researchers have observed similarities in functions, basic blocks, and jumps based on BinDiff analysis.

Encryption Techniques

Both BlackSuit and Royal ransomware use OpenSSL's AES for encryption and employ comparable intermittent encryption techniques to quickly and effectively encrypt victim files. Once files are encrypted, BlackSuit appends the .blacksuit extension to them and presents a ransom note containing instructions for payment and a unique victim ID.

Ransom Demands

BlackSuit threat actors follow a double extortion model, demanding payment for decrypting files and preventing the leak of stolen information. Victims are directed to a TOR chat site to communicate with the ransomware operators and facilitate the payment process.