BlackSuit ransomware is a malicious software designed to infiltrate computer systems and encrypt critical data. It primarily targets high-value organizations across critical sectors showcasing its potential to disrupt operations and inflict widespread damage.
This ransomware has caused substantial financial losses and operational disruptions across various industries. Understanding how BlackSuit operates and implementing detection strategies against it helps organizations proactively protect assets and maintain business continuity amid an ever-evolving threat landscape.
In this blog post, we illustrate how organizations can detect and respond to BlackSuit ransomware on infected Windows endpoints.
BlackSuit ransomware behavior
Below are some of the behaviors observed if BlackSuit ransomware is successfully executed on a Windows endpoint:
- The ransomware needs command line arguments to execute and encrypt files on an endpoint. It supports multiple arguments followed by any 32-character value. The argument used in this post is
-name
followed by a random 32-character value. - To prevent recovery after the encryption of files, it removes Volume Shadow Copies Service (VSS). This is done via a hidden shell command that launches
VSSADMIN.EXE
with the/ALL
and/Quiet
options.
"C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet
- Before encryption, it uses
Microsoft-Windows-RestartManager
to determine whether targeted files are currently in use or blocked by other applications. This is done to encrypt as many files as possible. The sequence of the Windows Restart Manager APIs used by BlackSuit isRmStartSession
,RmRegisterResources
,RmGetList
,RmShutdown
, andRmEndSession
. - The ransomware creates a ransom note with the filename
README.BlackSuit.txt
in multiple directories such asC:\PerfLogs\
,C:\Temp\
,C:\Users\<user>\AppData\Roaming\
,C:\Users\<user>\AppData\local\ C:\Users\<users>\
,C:\ProgramData\
. - It encrypts files on the endpoint and mounted shares by appending the
.blacksuit
extension to the encrypted files.
Analyzed IOC
Hash Algorithm | Value |
SHA256 | 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c |
MD5 | 748de52961d2f182d47e88d736f6c835 |
Infrastructure
We use the following infrastructure to demonstrate the detection of BlackSuit ransomware with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.9.2 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
- A Windows 11 victim endpoint with the Wazuh agent version 4.9.2 installed.
Detection with Wazuh
We use the following techniques to detect the BlackSuit ransomware behavior on an infected Windows endpoint:
- Using detection rules to identify activities related to the BlackSuit ransomware.
- Detecting and removing malicious files with YARA integration and the Wazuh Active Response module.
Detection rules
We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of BlackSuit ransomware.
Windows endpoint
Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred location.
3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH>
with the path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the directory containing the Sysmon executable. Run the command below to install and start Sysmon:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Upon successful installation of Sysmon, add the following configuration within the <ossec_config>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file to forward Sysmon events to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh
Wazuh server
In this section, we create rules to detect the activities of BlackSuit ransomware on the monitored endpoint.
1. Create a file blacksuit_ransomware.xml in the /var/ossec/etc/rules/
directory:
# touch /var/ossec/etc/rules/blacksuit_ransomware.xml
2. Add the following rules to the /var/ossec/etc/rules/blacksuit_ransomware.xml
file:
<group name="BlackSuit, ransomware,"> <!-- Ransomware execution --> <rule id="100011" level="12"> <if_sid>61603</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i).*.exe\s+-name\s\d{32}$</field> <description>Possible BlackSuit ransomware executed.</description> <mitre> <id>T1059</id> <id>T1086</id> </mitre> </rule> <!-- Inhibit system recovery --> <rule id="100012" level="12"> <if_sid>61603</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)vssadmin.exe\"\sDelete\sShadows\s\/All\s\/Quiet</field> <description>Volume shadow copy deleted using $(win.eventdata.originalFileName). Potential ransomware activity detected.</description> <mitre> <id>T1490</id> <id>T1059.003</id> </mitre> </rule> <!-- Ransom note file creation --> <rule id="100013" level="15" timeframe="100" frequency="2"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">\.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\README.BlackSuit.txt</field> <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. BlackSuit ransomware detected.</description> <mitre> <id>T1059</id> </mitre> </rule> </group>
The following rule IDs are triggered when activities related to BlackSuit ransomware are detected on an endpoint:
- Rule ID
100011
is triggered when BlackSuit ransomware is executed with an argument followed by a 32-character value on a victim endpoint. - Rule ID
100012
is triggered when BlackSuit ransomware deletes all the shadow copies of the files and folders on the endpoint. - Rule ID
100013
is triggered when BlackSuit ransomware drops its ransom note with the file nameREADME.BlackSuit.txt
in multiple folders.
3. Restart the Wazuh server to apply the changes:
# systemctl restart wazuh-manager
Alerts visualization
The screenshot below displays the alerts generated on the Wazuh dashboard when the BlackSuit ransomware is executed on the endpoint.
From the Wazuh dashboard,
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id
.
3. In the Operator field, select is one of
.
4. Search and select rule IDs 100011
, 100012
, and 100013
in the Values field.
5. Click Save.
Detecting and removing malicious files utilizing YARA integration
Wazuh integrates with YARA, a tool designed to detect and classify malware artifacts. This integration scans files added or modified on a Windows endpoint to determine if they contain malware.
We configure the Wazuh File Integrity Monitoring module to track changes in a specific folder. Whenever files are added or modified in the monitored folder, the Wazuh Active Response module automatically initiates a YARA scan. It detects potentially malicious files based on predefined rules.
Windows endpoint
For this integration, we require the below prerequisites installed and configured on the endpoint.
- Python v 3.12.2 or later (with
pip
pre-installed). - Microsoft Visual C++ 2015 Redistributable.
After successfully installing the aforementioned prerequisites, proceed with the next steps to download the YARA executable.
Note: Run PowerShell as an administrator
1. Run the command to download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip
2. Extract the downloaded YARA file:
> Expand-Archive v4.3.2-2150-win64.zip
3. Create a folder C:\Program Files (x86)\ossec-agent\active-response\bin\yara\
and copy the YARA binary into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\' > cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
Once the above steps have been completed, we proceed to download the YARA rules.
4. In the same PowerShell terminal that was opened earlier, use the pip
utility to install valhallaAPI
. This API is used to retrieve the public signature-based YARA ruleset:
> pip install valhallaAPI
5. Create a file download_yara_rules.py
, and paste the below script into it:
from valhallaAPI.valhalla import ValhallaAPI v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111") response = v.get_rules_text() with open('yara_rules.yar', 'w') as fh: fh.write(response)
6. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\
folder:
> python download_yara_rules.py > mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\' > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
7. Edit the downloaded YARA rule C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar
and add the following BlackSuit ransomware rule:
rule BlackSuit_ransomware { meta: description = "BlackSuit ransomware executable detection" author = "Aishat Motunrayo Awujola" reference = "https://github.com/Neo23x0/yarGen" date = "2024-10-03" hash1= "90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c" strings: $x1 = "C:\Users\pipi-\source\repos\encryptor\Release\encryptor.pdb" fullword ascii $s2 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */ $s3 = "C:\Users\Adm\vcpkg\packages\openssl_x86-windows-static\bin" fullword ascii $s4 = "C:\Users\Adm\vcpkg\buildtrees\openssl\x86-windows-static-rel\providers\implementations\ciphers\cipher_aes_hw_aesni.inc" ascii $s5 = "C:\Users\Adm\vcpkg\buildtrees\openssl\x86-windows-static-rel\providers\implementations\ciphers\cipher_aes_cts.inc" fullword ascii $s6 = "C:\Users\Adm\vcpkg\buildtrees\openssl\x86-windows-static-rel\providers\implementations\macs\blake2_mac_impl.c" fullword ascii $s7 = "get_payload_private_key" fullword ascii $s8 = "C:\Users\Adm\vcpkg\packages\openssl_x86-windows-static\lib\engines-3" fullword ascii $s9 = "C:\Users\Adm\vcpkg\packages\openssl_x86-windows-static" fullword ascii $s10 = "get_payload_public_key" fullword ascii $s11 = "C:\Users\Adm\vcpkg\buildtrees\openssl\x86-windows-static-rel\crypto\err\err_local.h" fullword ascii $s12 = "C:\Users\Adm\vcpkg\buildtrees\openssl\x86-windows-static-rel\providers\implementations\ciphers\cipher_camellia_cts.inc" ascii $s13 = "C:\Windows\Sysnative\bcdedit.exe" fullword wide $s14 = "C:\Windows\Sysnative\vssadmin.exe" fullword wide $s15 = "error processing message" fullword ascii $s16 = "C:\Users\Adm\vcpkg\buildtrees\openssl\x86-windows-static-rel\engines\e_capi_err.c" fullword ascii $s17 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s18 = "get_dh_dsa_payload_p" fullword ascii $s19 = "loader incomplete" fullword ascii $s20 = "get_payload_group_name" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 7000KB and 1 of ($x*) and 4 of them }
8. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf
file and add the configuration below within the <syscheck>
block to monitor the Downloads
folders of all users in real-time using the Wazuh FIM module:
<directories realtime="yes">C:\Users\*\Downloads</directories>
Note: In this blog post, the Downloads
folders of all users are monitored. However, you can configure other folders you wish to monitor depending on your specific needs.
9. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\
folder.
10. Copy the script below into the yara.bat
file. The Wazuh Active Response module automatically runs this file to perform YARA scans for malware detection and removal:
:: This script deletes BlackSuit ransomware as well as other malicious files matched by the YARA Rules @echo off setlocal enableDelayedExpansion reg Query "HKLM\Hardware\Description\System\CentralProcessor> Restart-Service -Name wazuh" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log" ) if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log" ) set input= for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt" set syscheck_file_path= echo %input% > %json_file_path% FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" echo %syscheck_file_path% >> %log_file_path% for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" >nul 2>&1 if exist "%syscheck_file_path%" ( echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path% ) else ( echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path% ) ) exit /b
11. Restart the Wazuh agent for the changes to take effect:
<group name= "syscheck,"> <rule id="100024" level="7"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)C:\Users.+Downloads</field> <description>File modified in the Downloads folder.</description> </rule> <rule id="100025" level="7"> <if_sid>554</if_sid> <field name="file" type="pcre2">(?i)C:\Users.+Downloads</field> <description>File added to the Downloads folder.</description> </rule> </group>
Wazuh server
Follow the below steps to configure rules, custom decoders, and active response.
1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml
file. These rules will trigger alerts for any files added or modified in the Downloads
directory on the monitored endpoint.
<command> <name>yara</name> <executable>yara.bat</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara</command> <location>local</location> <rules_id>100024,100025</rules_id> </active-response>
Where:
- Rule ID
100024
is triggered when a file is modified in theDownloads
directory. - Rule ID
100025
is triggered when a file is added to theDownloads
directory.
2. Add the following configuration to the /var/ossec/etc/ossec.conf
file within the <ossec_config>
block:
<decoder name="yara_decoder"> <prematch>wazuh-yara:</prematch> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder>
The Wazuh Active Response module executes the yara.bat
script when a file is added or modified in the Downloads
folder.
Where:
<name>
specifies the name of the command being called in the active response section.<executable>
specifies the executable file to run.<command>
specifies the command that the active response will use.- The
<active response>
block calls the<command>
block when the rule ID100024
or100025
is triggered. <location>
specifies where the active response script is executed.
3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml
file to decode the logs generated by the active response script:
<!-- Rule for the decoder (yara_decoder) --> <group name="yara,"> <rule id="100026" level="0"> <decoded_as>yara_decoder</decoded_as> <description>Yara grouping rule</description> </rule> <!-- YARA scan detects a positive match --> <rule id="100027" level="12"> <if_sid>100026</if_sid> <match type="pcre2">wazuh-yara: INFO - Scan result: </match> <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description> </rule> <!-- Wazuh successfully deletes malware with a positive match --> <rule id="100028" level="12"> <if_sid>100026</if_sid> <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match> <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description> </rule> <!-- Wazuh encounters an error when deleting malware with a positive match --> <rule id="100029" level="12"> <if_sid>100026</if_sid> <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match> <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description> </rule> </group>
4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml
to generate alerts when YARA active response actions are taken:
$ sudo systemctl restart wazuh-manager
Where:
- Rule ID
100026
is the base rule for detecting YARA related events. - Rule ID
100027
is triggered when YARA scans and detects a malicious file. - Rule ID
100028
is triggered when the detected file has been successfully removed by the Wazuh active response module. - Rule ID
100029
is triggered when the detected file is not removed successfully by Wazuh active response.
5. Restart the Wazuh manager for the changes to take effect:
$ sudo systemctl restart wazuh-manager
Detection results
Alerts are generated on the dashboard when the BlackSuit ransomware executable is added to the monitored folder, in this case, the Downloads folder of the victim endpoint. To view these alerts on the Wazuh dashboard:
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id
.
3. In the Operator field, select is one of
.
4. Search and select rule IDs 100025
, 100027
, and 100028
in the Values field.
5. Click Save.
Conclusion
BlackSuit ransomware highlights the ongoing evolution of ransomware, where attackers continue to refine their methods to maximize disruption and profit. Organizations must stay vigilant by employing strong incident response plans and implementing advanced security measures, to detect and defend against ransomware attacks. Early detection and proactive security measures are key to mitigating the impact of such sophisticated threats.
In this blog post, we illustrated how organizations can leverage Wazuh to detect and remove BlackSuit ransomware on Windows endpoints. We used Sysmon to enrich logs from the victim endpoint and created detection rules for identifying malicious behavior related to BlackSuit ransomware. Furthermore, we employed YARA with the Wazuh Active Response module to detect and automatically remove the ransomware upon its download to the monitored endpoint.
Wazuh is a free open source security platform offering a wide range of capabilities to monitor and protect your infrastructure from malicious activities. Refer to our blog post Ransomware protection on Windows with Wazuh for more information on how to recover files to a state prior to encryption. If you have any questions about this blog post or Wazuh in general, feel free to join our active Slack community, where we are available to help.
References