MorningStar Senior Living Hit by BlackSuit Ransomware Attack

Incident Date:

August 31, 2024

World map

Overview

Title

MorningStar Senior Living Hit by BlackSuit Ransomware Attack

Victim

MorningStar Senior Living

Attacker

Black Suit

Location

Hayward, USA

California, USA

First Reported

August 31, 2024

Ransomware Attack on MorningStar Senior Living by BlackSuit

MorningStar Senior Living, a prominent provider of senior living solutions in the United States, has fallen victim to a ransomware attack orchestrated by the cybercriminal group known as BlackSuit. The attack has compromised critical directories and files within the company's network, affecting various departments including HR, management, finance, and IT.

About MorningStar Senior Living

Founded in 2003 by Ken Jaeger, MorningStar Senior Living operates over 40 communities across 11 states, offering services such as independent living, assisted living, memory care, and respite care. The company is headquartered in Denver, Colorado, and generates an estimated annual revenue of $52.7 million. MorningStar is known for its mission-driven approach, emphasizing values such as honoring God, valuing all seniors, and investing generously. The organization prides itself on creating warm, family-like environments for its residents.

Attack Overview

The ransomware attack was detected on July 16, with unauthorized access to multiple directories including "All Company," "HR Team," "Management," "Finance," and "Marketing Branding." The attack has also affected the company's website, morningstarseniorliving.com, and potentially disrupted their communication channels. Sensitive information and operational data have been exposed, prompting immediate steps to mitigate the damage and secure the network.

About BlackSuit Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and is closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note includes a reference to a Tor chat site for victims to contact the operators. Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit could be a new variant developed by the same authors or an affiliate of the Royal ransomware gang.

Vulnerabilities and Penetration

MorningStar Senior Living's extensive network and the sensitive nature of its data make it a prime target for ransomware attacks. The company's reliance on digital systems for managing resident care, financial transactions, and internal communications presents multiple entry points for cybercriminals. The exact method of penetration by BlackSuit remains unclear, but it likely involved exploiting vulnerabilities in the company's IT infrastructure, possibly through phishing attacks or unpatched software.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.