Home / Industry

Stripping Down the BlackSuit Ransomware Network Aided by DNS Data

Nearly 1 million individuals’ information was stolen and exposed when threat actors launched a BlackSuit ransomware attack on 10 April 2024. The investigation revealed that the compromised data included the victims’ Social Security numbers (SSNs), birthdays, and insurance claim information.

Data breach notifications were sent in the last week of August. Around that time, specifically on 27 August 2024, the Cybersecurity and Infrastructure Security Agency (CISA) also updated its BlackSuit ransomware advisory. Their latest STIX file contains 91 indicators of compromise (IoCs) comprising 14 domain names, five subdomains, and 72 IP addresses. The agency also revealed that Blacksuit is a rebranded version of the Royal ransomware, a threat group that targeted healthcare organizations and demanded ransom payments ranging from US$250,000 to US$2 million.

The WhoisXML API research team pivoted off these cyber resources to expand the list of IoCs and uncover relevant threat artifacts. The analysis led to the discovery of:

  • 112 email-connected domains
  • 10 additional IP addresses, five of which were found to be malicious
  • 21 IP-connected domains
  • 137 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the BlackSuit IoCs

To learn more about the published IoCs, we first ran the 15 domains, comprising the 14 domain names identified as IoCs and one domain extracted from the subdomain IoCs, on Bulk WHOIS Lookup. We found that one domain IoC did not have current WHOIS data and thus was excluded from the analysis.

  • Four domain IoCs were registered with Namecheap, Inc.; two with GANDI SAS; and one domain each with NiceNIC International Group Co. Limited; Free Spirit Domains LLC; Slow Motion Domains LLC; GoDaddy.com LLC; Rally Cry Domains LLC; FindYouAName.com LLC; WEBCC; and Tucows, Inc.
  • A majority of the domain IoCs, seven to be exact, were registered in 2024. Four were created in 2023, while one IoC each was created in 2010, 2021, and 2022.
  • Nine domain IoCs were registered in the U.S. and two in Iceland. Malaysia and Saint Kitts and Nevis accounted for one domain IoC each.

Next, we ran a bulk IP geolocation lookup for the 72 IP addresses identified as IoCs and found that:

  • Their geolocations were distributed across 29 countries. A majority were traced to the U.S. (24 IP addresses), Algeria (seven IP addresses), Russia (five IP addresses), and Morocco (four IP addresses). Three IP address IoCs each were geolocated in the Netherlands and Argentina, while two each were geolocated in Germany, Tunisia, and Colombia. Twenty other countries accounted for one IP address IoC each.
  • The Constant Company and Algeria Telecom administered seven IP addresses each, while Virgin Media, Global Internet Solutions, Maroc Telecom, and Telecom Argentina administered two IP addresses each. Thirty-one other ISPs accounted for one IP address IoC each, while 19 IP addresses did not have current ISP information.

Uncovering Potential BlackSuit Ransomware Threat Artifacts

To proactively hunt for potential BlackSuit-related threats, we queried the 14 domain IoCs and one subdomain IoC root domain on WHOIS History API. The results showed that they had 31 email addresses in their historical WHOIS records, five of which were public.

Jumping off the five public email addresses, our Reverse WHOIS API queries led to the discovery of 112 email-connected domains after removing duplicates and the IoCs.

We then ran the 14 domain IoCs and five subdomain IoCs on DNS Lookup and found out that while four did not have active IP resolutions, the remaining 15 resolved to 10 IP addresses not on the original IoC list.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign