BlackSuit Ransomware Hits AXIA Ventures Group, Exposing Financial Data Vulnerabilities

Incident Date:

June 25, 2024

World map

Overview

Title

BlackSuit Ransomware Hits AXIA Ventures Group, Exposing Financial Data Vulnerabilities

Victim

AXIA Ventures Group LTD

Attacker

Black Suit

Location

Nicosia, Cyprus

, Cyprus

First Reported

June 25, 2024

Ransomware Attack on AXIA Ventures Group LTD by BlackSuit

Overview of AXIA Ventures Group LTD

AXIA Ventures Group LTD is a leading regional investment banking group headquartered in Nicosia, Cyprus. The company provides a range of financial services primarily focused on the Southeastern European and Eastern Mediterranean regions. AXIA operates additional offices in Greece, Portugal, and the United States. The firm offers corporate finance advisory, equity research, sales and trading services, and asset management. AXIA Ventures Group LTD is known for its deep understanding of regional markets and its commitment to delivering innovative financial solutions.

Company Size and Industry Standing

Founded in 2008, AXIA Ventures Group LTD has grown to employ 57 people and reported an annual revenue of $16.4 million in 2023. The company is regulated by the Cyprus Securities and Exchange Commission and is fully licensed to provide financial advisory services in various financial markets globally. AXIA's entrepreneurial ethos and close industry ties distinguish it from other advisors in the region.

Vulnerabilities and Targeting by Threat Actors

As a prominent player in the finance sector, AXIA Ventures Group LTD is an attractive target for cybercriminals. The company's extensive involvement in corporate finance advisory, capital raising, and asset management makes it a repository of sensitive financial data. This, coupled with its international operations, increases its exposure to cyber threats. The ransomware attack by BlackSuit underscores the vulnerabilities inherent in handling large volumes of confidential financial information.

Details of the Ransomware Attack

The ransomware attack on AXIA Ventures Group LTD was discovered on June 26, 2024. The BlackSuit ransomware group claimed responsibility for the attack via their dark web leak site. The extent of the data leak resulting from the attack remains unknown. The attack has raised significant concerns about the security measures in place at AXIA Ventures Group LTD and the potential impact on its clients and operations.

Profile of the BlackSuit Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and is closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. BlackSuit appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note includes a reference to a Tor chat site for victim communication.

Distinguishing Features of BlackSuit

BlackSuit ransomware exhibits significant similarities to Royal ransomware, with a 98% similarity in functions and 99.5% similarity in code blocks. This high degree of similarity suggests that BlackSuit may be a new variant developed by the same authors as Royal, a copycat using similar code, or an affiliate of the Royal ransomware gang. The emergence of BlackSuit indicates that the threat actors behind Royal have inspired other cybercriminals to develop similar ransomware families.

Potential Penetration Methods

While the exact method of penetration in the AXIA Ventures Group LTD attack is not publicly disclosed, common vectors for ransomware attacks include phishing emails, exploiting unpatched software vulnerabilities, and compromising remote desktop protocol (RDP) services. Given BlackSuit's ability to target both Windows and Linux systems, including critical VMware ESXi infrastructure, it is likely that the attackers exploited a combination of these methods to infiltrate AXIA's systems.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.