BlackSuit ransomware is a malicious software designed to infiltrate computer systems and encrypt critical data. It primarily targets high-value organizations across critical sectors showcasing its potential to disrupt operations and inflict widespread damage.

This ransomware has caused substantial financial losses and operational disruptions across various industries. Understanding how BlackSuit operates and implementing detection strategies against it helps organizations proactively protect assets and maintain business continuity amid an ever-evolving threat landscape.

In this blog post, we illustrate how organizations can detect and respond to BlackSuit ransomware on infected Windows endpoints.

BlackSuit ransomware behavior

Below are some of the behaviors observed if BlackSuit ransomware is successfully executed on a Windows endpoint:

  • The ransomware needs command line arguments to execute and encrypt files on an endpoint. It supports multiple arguments followed by any 32-character value. The argument used in this post is -name followed by a random 32-character value.
  • To prevent recovery after the encryption of files, it removes Volume Shadow Copies Service (VSS). This is done via a hidden shell command that launches VSSADMIN.EXE with the /ALL and /Quiet options.
"C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet
  • Before encryption, it uses Microsoft-Windows-RestartManager to determine whether targeted files are currently in use or blocked by other applications. This is done to encrypt as many files as possible. The sequence of the Windows Restart Manager APIs used by BlackSuit is RmStartSession, RmRegisterResources, RmGetList, RmShutdown, and RmEndSession.
  • The ransomware creates a ransom note with the filename README.BlackSuit.txt in multiple directories such as C:\PerfLogs\, C:\Temp\, C:\Users\<user>\AppData\Roaming\, C:\Users\<user>\AppData\local\ C:\Users\<users>\, C:\ProgramData\.
  • It encrypts files on the endpoint and mounted shares by appending the .blacksuit extension to the encrypted files.

Analyzed IOC

Hash AlgorithmValue
SHA25690ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
MD5748de52961d2f182d47e88d736f6c835

Infrastructure

We use the following infrastructure to demonstrate the detection of BlackSuit ransomware with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.9.2 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 11 victim endpoint with the Wazuh agent version 4.9.2 installed.

Detection with Wazuh

We use the following techniques to detect the BlackSuit ransomware behavior on an infected Windows endpoint:

Detection rules

We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of BlackSuit ransomware.

Windows endpoint

Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the directory containing the Sysmon executable. Run the command below to install and start Sysmon:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Upon successful installation of Sysmon, add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect the activities of BlackSuit ransomware on the monitored endpoint. 

1. Create a file blacksuit_ransomware.xml in the /var/ossec/etc/rules/ directory:

# touch /var/ossec/etc/rules/blacksuit_ransomware.xml

2. Add the following rules to the /var/ossec/etc/rules/blacksuit_ransomware.xml file:

<group name="BlackSuit, ransomware,">

<!-- Ransomware execution -->
  <rule id="100011" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i).*.exe\s+-name\s\d{32}$</field>
     <description>Possible BlackSuit ransomware executed.</description>
    <mitre>
       <id>T1059</id>
       <id>T1086</id>
    </mitre>
  </rule>
  
<!-- Inhibit system recovery -->
  <rule id="100012" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)vssadmin.exe\\"\sDelete\sShadows\s\/All\s\/Quiet</field>
    <description>Volume shadow copy deleted using $(win.eventdata.originalFileName). Potential ransomware activity detected.</description>
    <mitre>
      <id>T1490</id>
      <id>T1059.003</id>
    </mitre>
  </rule>
 
<!-- Ransom note file creation -->
  <rule id="100013" level="15" timeframe="100" frequency="2">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\README.BlackSuit.txt</field>
    <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. BlackSuit ransomware detected.</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>
    
</group>

The following rule IDs are triggered when activities related to BlackSuit ransomware are detected on an endpoint:

  • Rule ID 100011 is triggered when BlackSuit ransomware is executed with an argument followed by a 32-character value on a victim endpoint.
  • Rule ID 100012 is triggered when BlackSuit ransomware deletes all the shadow copies of the files and folders on the endpoint.
  • Rule ID 100013 is triggered when BlackSuit ransomware drops its ransom note with the file name README.BlackSuit.txt in multiple folders.

3. Restart the Wazuh server to apply the changes:

# systemctl restart wazuh-manager

Alerts visualization

The screenshot below displays the alerts generated on the Wazuh dashboard when the BlackSuit ransomware is executed on the endpoint.

From the Wazuh dashboard,

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.id.

3. In the Operator field, select is one of.

4. Search and select rule IDs 100011, 100012, and 100013 in the Values field.

5. Click Save.

BlackSuit Ransomware dashboard

Detecting and removing malicious files utilizing YARA integration

Wazuh integrates with YARA, a tool designed to detect and classify malware artifacts. This integration scans files added or modified on a Windows endpoint to determine if they contain malware.

We configure the Wazuh File Integrity Monitoring module to track changes in a specific folder. Whenever files are added or modified in the monitored folder, the Wazuh Active Response module automatically initiates a YARA scan. It detects potentially malicious files based on predefined rules.

Windows endpoint

For this integration, we require the below prerequisites installed and configured on the endpoint.

After successfully installing the aforementioned prerequisites, proceed with the next steps to download the YARA executable.

Note: Run PowerShell as an administrator

1. Run the command to download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip

2. Extract the downloaded YARA file:

> Expand-Archive v4.3.2-2150-win64.zip

3. Create a folder C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Once the above steps have been completed, we proceed to download the YARA rules.

4. In the same PowerShell terminal that was opened earlier, use the pip utility to install valhallaAPI. This API is used to retrieve the public signature-based YARA ruleset:

> pip install valhallaAPI

5. Create a file download_yara_rules.py, and paste the below script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

6. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:

> python download_yara_rules.py 
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

7. Edit the downloaded YARA rule C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following BlackSuit ransomware rule:

rule BlackSuit_ransomware {
   meta:
      description = "BlackSuit ransomware executable detection"
      author = "Aishat Motunrayo Awujola"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-10-03"

hash1= "90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c"

   strings:
      $x1 = "C:\\Users\\pipi-\\source\\repos\\encryptor\\Release\\encryptor.pdb" fullword ascii
      $s2 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */
      $s3 = "C:\\Users\\Adm\\vcpkg\\packages\\openssl_x86-windows-static\\bin" fullword ascii
      $s4 = "C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\ciphers\\cipher_aes_hw_aesni.inc" ascii
      $s5 = "C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\ciphers\\cipher_aes_cts.inc" fullword ascii
      $s6 = "C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\macs\\blake2_mac_impl.c" fullword ascii
      $s7 = "get_payload_private_key" fullword ascii
      $s8 = "C:\\Users\\Adm\\vcpkg\\packages\\openssl_x86-windows-static\\lib\\engines-3" fullword ascii
      $s9 = "C:\\Users\\Adm\\vcpkg\\packages\\openssl_x86-windows-static" fullword ascii
      $s10 = "get_payload_public_key" fullword ascii
      $s11 = "C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\crypto\\err\\err_local.h" fullword ascii
      $s12 = "C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\ciphers\\cipher_camellia_cts.inc" ascii
      $s13 = "C:\\Windows\\Sysnative\\bcdedit.exe" fullword wide
      $s14 = "C:\\Windows\\Sysnative\\vssadmin.exe" fullword wide
      $s15 = "error processing message" fullword ascii
      $s16 = "C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\engines\\e_capi_err.c" fullword ascii
      $s17 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s18 = "get_dh_dsa_payload_p" fullword ascii
      $s19 = "loader incomplete" fullword ascii
      $s20 = "get_payload_group_name" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 7000KB and
      1 of ($x*) and 4 of them
}

8. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf file and add the configuration below within the <syscheck> block to monitor the Downloads folders of all users in real-time using the Wazuh FIM module:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, the Downloads folders of all users are monitored. However, you can configure other folders you wish to monitor depending on your specific needs.

9. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder. 

10. Copy the script below into the yara.bat file. The Wazuh Active Response module automatically runs this file to perform YARA scans for malware detection and removal:

:: This script deletes BlackSuit ransomware as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b

11. Restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name wazuh

Wazuh server

Follow the below steps to configure rules, custom decoders, and active response.

1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules will trigger alerts for any files added or modified in the Downloads directory on the monitored endpoint.

<group name= "syscheck,">
  <rule id="100024" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="100025" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

Where:

  • Rule ID 100024 is triggered when a file is modified in the Downloads directory.
  • Rule ID 100025 is triggered when a file is added to the Downloads directory.

2. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:

<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>100024,100025</rules_id>
</active-response>

The Wazuh Active Response module executes the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies the name of the command being called in the active response section.
  • <executable> specifies the executable file to run.
  • <command> specifies the command that the active response will use.
  • The <active response> block calls the <command> block when the rule ID 100024 or 100025 is triggered.
  • <location> specifies where the active response script is executed.

3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to generate alerts when YARA active response actions are taken:

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100026" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="100027" level="12">
    <if_sid>100026</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="100028" level="12">
    <if_sid>100026</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100029" level="12">
    <if_sid>100026</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

  • Rule ID 100026 is the base rule for detecting YARA related events.
  • Rule ID 100027 is triggered when YARA scans and detects a malicious file.
  • Rule ID 100028 is triggered when the detected file has been successfully removed by the Wazuh active response module.
  • Rule ID 100029 is triggered when the detected file is not removed successfully by Wazuh active response.

5. Restart the Wazuh manager for the changes to take effect:

$ sudo systemctl restart wazuh-manager

Detection results

Alerts are generated on the dashboard when the BlackSuit ransomware executable is added to the monitored folder, in this case, the  Downloads folder of the victim endpoint. To view these alerts on the Wazuh dashboard:

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.id.

3. In the Operator field, select is one of.

4. Search and select rule IDs 100025, 100027, and 100028 in the Values field.

5. Click Save.

BlackSuit detection rules

Conclusion

BlackSuit ransomware highlights the ongoing evolution of ransomware, where attackers continue to refine their methods to maximize disruption and profit. Organizations must stay vigilant by employing strong incident response plans and implementing advanced security measures, to detect and defend against ransomware attacks. Early detection and proactive security measures are key to mitigating the impact of such sophisticated threats.

In this blog post, we illustrated how organizations can leverage Wazuh to detect and remove BlackSuit ransomware on Windows endpoints. We used Sysmon to enrich logs from the victim endpoint and created detection rules for identifying malicious behavior related to BlackSuit ransomware. Furthermore, we employed YARA with the Wazuh Active Response module to detect and automatically remove the ransomware upon its download to the monitored endpoint.

Wazuh is a free open source security platform offering a wide range of capabilities to monitor and protect your infrastructure from malicious activities. Refer to our blog post Ransomware protection on Windows with Wazuh for more information on how to recover files to a state prior to encryption. If you have any questions about this blog post or Wazuh in general, feel free to join our active Slack community, where we are available to help.

References