Ransomware Attack on SBI by BlackSuit

The ransomware group BlackSuit has claimed responsibility for a cyberattack on SBI, a prominent provider of custom fabrication and logistics solutions operating under the brand name "WE ARE SBI." The attack was announced on BlackSuit's dark web leak site, where the group threatened to release sensitive data if their demands are not met within 48 hours.

About SBI

SBI, officially registered as Siegfried's Basement LLC, is a leading company in the construction sector, specializing in custom fabrication and logistics solutions. They cater to various industries, including commercial, retail, hospitality, and luxury brands. The company collaborates with production companies, marketing agencies, general contractors, construction managers, architects, and interior designers. Their services range from creating experiential environments and brand activations to producing custom millwork and bespoke architectural interiors.

SBI employs between 11-50 people and operates primarily from two locations: Secaucus, New Jersey, and the Miami/Fort Lauderdale area in Florida. Their annual revenue is estimated to be between $1 million to $5 million. What sets SBI apart is their integrated approach to design and fabrication, combining advanced digital tools with traditional craftsmanship to optimize production, reduce waste, and meet tight deadlines without compromising quality.

Attack Overview

The ransomware attack on SBI has compromised critical business information, including contracts, contacts, planning documents, and presentations. Additionally, sensitive employee data such as passports, contracts, contacts, and financial details have been breached. Financial data, including audits, reports, payments, and contracts, is also at risk of being exposed. The potential release of this information could have severe implications for SBI's operations, employee privacy, and financial stability.

About BlackSuit Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and is closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note includes a reference to a Tor chat site where victims can contact the operators.

Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit could be a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang. The high degree of similarity in functions, code blocks, and jumps indicates a close relationship between the two ransomware families.

Potential Vulnerabilities

SBI's reliance on digital tools and interconnected systems for their design and fabrication processes may have made them vulnerable to this ransomware attack. The integration of advanced digital tools with traditional craftsmanship, while beneficial for efficiency and quality, also presents potential entry points for cybercriminals. The attack on SBI underscores the importance of strong cybersecurity measures to protect sensitive data and maintain operational integrity.

Sources

• WE ARE SBI
• Security Affairs
• Bleeping Computer
• Dun & Bradstreet