How Ransomware Groups Target Multiple Organizations

The ransomware group BlackSuit, currently in the news for various global attacks, is a suspected rebranding of the Royal group. Palo Alto Networks Unit 42 has recently responded to multiple cases involving BlackSuit, and feel it’s important to share details on the group so businesses can be vigilant and defend against possible attacks. The group displays signs of operational experience and a higher level of sophistication, potentially inherited from predecessor groups. They are opportunistic & seem to be indiscriminately targeting organizations, demonstrating a global reach. Unlike many other ransomware groups Unit 42 tracks, BlackSuit operates as a private group without affiliates, outside of the popular RaaS model. BlackSuit notable TTPs: -Initial attack vector through various means, such as malicious phishing attachments, social engineering through vishing calls, as well as abuse of legitimate credentials -Deploys both Windows and Linux-based ransomware payloads, and also interacts with VMware ESXi to impact virtual infrastructure -Attempts to disable host security products such as AV and EDR -Leverage data leak sites as part of a double-extortion strategy Unit 42 recommendations for organizations include: -Ensure least privilege for user accounts as well as access control lists to critical systems -Ensure strong, not reused passwords with MFA enabled for remote access to systems -Segment networks and critical systems where appropriate -Review and harden ESXi and other infrastructure configuration and security policies -Have a robust incident response plan Background on BlackSuit: BlackSuit first came to light in May 2023 when Unit 42 published a social media post discussing its ability to target both Windows and Linux hosts. Their first leak site post was on June 18, 2023. Various sources, including Unit 42, have reported similarities in code between Royal and the newly established BlackSuit ransomware, indicating a possible rebranding from Royal to BlackSuit and possible relation to the Conti Group. Unit 42 will continue to share information about this threat actor as their tactics evolve.

Ransomware crews do their research when setting ransom demands. It's not just about what they steal—they're tapping into the same business intelligence sources your sales team might use. Digging into the leaked Blackbasta chat logs, we counted 787 direct references to zoominfo.com. That means these crews are going far beyond reviewing exfiltrated files. They're pulling up revenue numbers, org charts, and even figuring out which employees have payment authority. The actual workflow looks like this: ➡️ Start by exfiltrating sensitive data and pulling internal docs  ➡️ Then comb through resources like ZoomInfo to map out company structure and revenue  ➡️ Use that intelligence to size the ransom demand to what they think you'll pay Seen from an OffSec angle, it’s classic recon—just with a modern twist. Ransomware groups are blending criminal tactics with commercial-grade data mining to shape their approach, not just blasting out random numbers. If you want to see how this plays out in the raw logs, I dropped a link to the leaked chats in the comments. Curious—are there other business data sources you’ve seen threat actors abusing for target research? #Cybersecurity #Ransomware #ThreatIntelligence

FBI Cyber Division and our partners, including Japan NISC, are warning multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential PRC-linked BlackTech compromise. BlackTech actors TTPs include developing customized malware and tailored persistent mechanisms for compromising routers. These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters’ networks. Custom BlackTech malware families include BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear. BlackTech actors continuously update these tools to evade detection by security software. The actors also use stolen code-signing certificates to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect. BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by EDR products. Common methods of persistence on a host include NetCat shells, modifying the victim registry to enable the RDP and SSH. The actors have also used SNScan for enumeration and a local file transfer protocol (FTP) server to move data through the victim network. After gaining access to international subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network. BlackTech has targeted and exploited various brands and versions of router devices, including Cisco. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. For additional TTPs, IOCs, and detailed detection and mitigation measures, see the attached CSA. #cyberintelligence #cyberthreatintelligence #cyberthreatintel #CybersecurityAdvisory #FBI

Our latest Q1 2025 Rapid7 Incident Response findings are in—and the data paints a clear picture of how ransomware groups are breaking in. 🔐 Top 5 Initial Access Vectors: 1. Account Compromise (No MFA) – Over 50% of ransomware intrusions began this way. Often: misconfigured or missing MFA. 2. Known, Patchable Vulnerabilities – Fortinet, SimpleHelp, and others were hit despite available fixes. 3. Brute Forcing – Still rampant due to weak lockout controls. 4. Exposed RDP – Yes, still a common entry point in 2025. 5. SEO Poisoning – Trojanized “admin tools” delivered via search result manipulation. Spotlight: Social engineering through Microsoft Teams is on the rise—threat actors are posing as IT staff and tricking users into installing remote access tools. ✔️ Actionable Takeaways: Enable and harden MFA – Go phishing-resistant when you can Patch like it matters—because it does. Prioritize exploited CVEs. Shut down public RDP – Always route access securely Review password + lockout policies – Long passwords, enforced lockouts Lock down Teams chat – Social engineering doesn’t stop at email 📘 Read the full breakdown and get actionable advice here: https://lnkd.in/ekF4jhCq #Cybersecurity #IncidentResponse #Ransomware #ThreatIntel #MDR #Rapid7

Clop Ransomware Strikes Again: 66 Companies Under Threat in Cleo Data-Theft Attack The Clop ransomware gang is back with another high-profile extortion campaign, targeting victims of its recent Cleo data-theft attack. The group has given 66 companies a 48-hour ultimatum to respond to ransom demands or face public exposure on their dark web portal. ➙ How Clop Pulls Off Major Breaches The latest attack leveraged a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products (tracked as CVE-2024-50623). This flaw allowed hackers to perform unrestricted file uploads, downloads, and execute remote code. Using this exploit, Clop successfully infiltrated networks and stole sensitive data. This isn’t Clop’s first rodeo. The group has previously exploited zero-day vulnerabilities in: ↳ MOVEit Transfer platform ↳ GoAnywhere MFT ↳ SolarWinds Serv-U FTP software Their method is chillingly effective: exploit vulnerabilities, exfiltrate sensitive data, and demand ransom through secure channels. ➙ What Makes This Attack Different? ↳ Extortion at Scale: Clop listed 66 companies on its leak site but hinted that the real number of victims could be much higher. ↳ Direct Contact: The gang is actively reaching out to victims via secure chat links and email to negotiate ransoms. ↳ Public Pressure: Companies ignoring Clop's demands are threatened with full public disclosure of their identities and data. ➙ What’s the Impact? With Cleo software used by over 4,000 organizations globally, the potential scope of this breach is massive. Some companies are already identifiable through cross-referencing Clop’s hints with Cleo servers exposed online. ➙ What You Can Do to Protect Your Organization 1️⃣ Patch Immediately: Update Cleo Harmony, VLTrader, and LexiCom to version 5.8.0.21 or higher. 2️⃣ Monitor Your Network: Check for unusual activity or reverse shell connections that may indicate compromise. 3️⃣ Engage Experts: If affected, work with cybersecurity professionals to contain and mitigate the breach. 4️⃣ Prepare for Extortion: Have a ransomware response plan in place to navigate negotiations or manage exposure risks. Don’t Wait for Clop to Knock on Your Door This attack underscores the urgency of securing your systems against zero-day vulnerabilities. Whether you’re using Cleo or similar platforms, proactive monitoring and timely patching are critical. P.S. Is your organization equipped to handle zero-day exploits like this? What steps are you taking to secure your data? ♻️ Repost to alert your network and help businesses prepare for ransomware threats. 🔔 Follow Brent Gallo - CISSP for the latest insights on tackling ransomware and securing your organization. #Ransomware #Clop #CyberSecurity #ZeroDay #DataBreach #SupplyChainSecurity #ITSecurity #PatchNow #ExtortionCampaign

Popular Medusa Ransomware utilizes many LOTL (Living of the Land) techniques CISA Initial Access Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as: Phishing campaigns as a primary method for stealing victim credentials [T1566]. Exploitation of unpatched software vulnerabilities [T1190] through Common Vulnerabilities and Exposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and Fortinet EMS SQL injection vulnerability [CVE-2023-48788 [CWE 89: SQL Injection]. Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to: Copy (-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s). Execute an already existing local file on a remote machine with SYSTEM level privileges. Execute remote shell commands using cmd /c. One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389: netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow Then, a rule to allow remote WMI connections is created: netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes Finally, the registry is modified to allow Remote Desktop connections: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement. #cybersecurity #ransomware #Medusa #LOTL #Windows #CISA

All of the high-profile recent attacks in Las Vegas and elsewhere around the country from Scattered Spider / UNC3944 call for a fast threat intel report. Please share with your team! Unpacking Scattered Spider's / UNC3944's Tactics, Techniques & Procedures (TTPs): ☢️ Overview: 🔸 Scattered Spider/UNC3944 is a financial-threat group with consistent phone-based social engineering (vishing) & SMS phishing (smishing). 🔸 They've recently broadened their targets: from telecoms and BPOs to hospitality, retail, media, financial services, and more. ☢️ Notable TTPs: 🔸 Heavy reliance on social engineering: SMS phishing and calls to help desks for password resets or MFA bypass. 🔸 Use of commercial residential proxy services to appear local. 🔸 Legitimate software and remote access tools are often downloaded directly from vendor sites. 🔸 Extremely high operational tempo, overwhelming security response teams. 🔸 In-depth internal reconnaissance: Seeking internal documents, chat logs, etc., to maintain and escalate their presence. 🔸 Privilege escalation: Targeting password managers and privileged access systems. 🔸 Virtual machine (VM) creation: Often creating unmanaged VMs inside victims' environments. 🔸 Targeted ransomware deployment: Focusing on business-critical systems for maximum impact. 🔸 Aggressive communication: Threatening notes, texts to executives, and infiltrating victim's communication channels. ☢️ Scattered Spider/UNC3944 Attack Lifecycle Highlights: 🔸 Smishing: Primary initial access via smishing attacks on employees. 🔸 Phishing Kits: Mandiant identified 3 phishing kits used by UNC3944. 🔸 Credential Thefts: Use of various credential theft tools. 🔸 Cloud Resources Targeting: Specifically focusing on victims’ cloud resources for data theft and lateral movement. ☢️ Outlook: Scattered Spider's/UNC3944's adaptive and diverse approach shows they’re here to stay and evolve. From SMS phishing to sophisticated ransomware and extortion campaigns, their trajectory indicates a continuous threat evolution. Stay vigilant and keep updating your threat intelligence and hardening your defenses to account for such emerging groups! #Cybersecurity #ScatteredSpider #UNC3944

🚨 Ransomware Groups Claim the Same Victim: What Are the Motives? 📌 In 2023, we saw many instances of the same entity being claimed by multiple ransomware groups. The same insurance company was targeted by three different groups within a short timeframe: LockBit 3.0 in February, RansomHouse in March, and CLOP in June. This trend appears to persist into 2024, as several reports have surfaced in recent weeks reporting this observation. According to Valery Rieß-Marchive, he identified 88 cases of cross-claims since Jan. 1st, 2023 and keep counting (https://lnkd.in/epCfvQAU) 📌 Handling multiple claims is a nightmare for the affected company, requiring a comprehensive investigation of each event. The motivations driving such activity may vary; let's explore them. 1️⃣ Syndicates indeed targeted the same victim. Whether it's the same affiliate with the access to multiple strains or different actors involved, instances of multiple attacks have occurred in the past. Jon DiMaggio stated, “On several  occasions I have been called about incidents where two payloads were identified in environment. In reality we had an affiliate working with two RaaS providers.” 2️⃣ Actors use false claims to conduct influence campaigns. This has been the subject of multiple research efforts by Analyst1. Two significant cases include the Snatch case study with their influence campaigns efforts, (https://lnkd.in/erSh_ZCJ) and RansomedVC, which was identified making false claims to draw attention to themselves. (https://lnkd.in/eg9BGb4Q) 3️⃣ Actors frequently collaborate to support one another. This collaboration is driven by the cultural aspect of a Russian collectivist society and the pressure to remain close-knit in the DarkWeb ecosystem in order to survive. This became especially critical since the invasion of Ukraine in February 2022. The commonly held belief that the success of RaaS stems from its low barrier of entry may not apply in the case of major ransomware groups. Access to their programs, such as BlackCat for example is highly restricted due to the risk of infiltration by those opposed to Russian state policies, which these actors closely align with. In fact, the core group was formed a long ago which allows them quickly get back to life after another shutdown. Recent reports of LockBit reposting BlackCat’s victims (https://lnkd.in/ejUDz9FJ) might be an old trick that actors used in the past. In November 2021, LockBit provided infrastructure support to BlackMatter, a predecessor of BlackCat, while the actors were rebuilding their own. (https://lnkd.in/eikeFaem) 📩 Subscribe to Analyst1 newsletter for latest insights: https://lnkd.in/e_74iNpq