BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption

    Wednesday, July 16, 2025 In: Threat Research Print

    Date: 07/16/2025

    Severity: Medium

    Summary

    This report examines a recent ransomware attack by the BlackSuit group, a successor to the Royal ransomware family. Known for its hybrid tactics, BlackSuit combines data exfiltration with encryption, using advanced tools like PsExec, Cobalt Strike, RDP, and rclone to execute commands, move laterally, and extract data. The group re-emerged in 2024 with heightened sophistication, demanding ransoms between $1M–$10M in Bitcoin. Notably, ransom demands are withheld from initial notes, requiring victims to negotiate via TOR-based communication, signaling a shift in ransomware negotiation strategy and operational complexity.

    Indicators of Compromise (IOC) List 

    Url/Domain

    misstallion.com

    Store.misstallion.com

    mail.misstallion.com

    store.beamofthemoon.com

    Mail.beamofthemoon.com

    beamofthemoon.com

    mail.beamofthemoon.com

    mail.kiddlanka.com

    kiddlanka.com

    IP Address

    180.131.145.85

    82.192.88.95

    88.119.175.194

    184.174.96.71

    Hash

    d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b

69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03

0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "Mail.beamofthemoon.com" or siteurl like "Mail.beamofthemoon.com" or url like "Mail.beamofthemoon.com" or domainname like "beamofthemoon.com" or siteurl like "beamofthemoon.com" or url like "beamofthemoon.com" or domainname like "mail.beamofthemoon.com" or siteurl like "mail.beamofthemoon.com" or url like "mail.beamofthemoon.com" or domainname like "misstallion.com" or siteurl like "misstallion.com" or url like "misstallion.com" or domainname like "kiddlanka.com" or siteurl like "kiddlanka.com" or url like "kiddlanka.com" or domainname like "store.beamofthemoon.com" or siteurl like "store.beamofthemoon.com" or url like "store.beamofthemoon.com" or domainname like "Store.misstallion.com" or siteurl like "Store.misstallion.com" or url like "Store.misstallion.com" or domainname like "mail.misstallion.com" or siteurl like "mail.misstallion.com" or url like "mail.misstallion.com" or domainname like "mail.kiddlanka.com" or siteurl like "mail.kiddlanka.com" or url like "mail.kiddlanka.com"

    Detection Query 2 : 

    dstipaddress IN ("180.131.145.85","82.192.88.95","184.174.96.71","88.119.175.194") or srcipaddress IN ("180.131.145.85","82.192.88.95","184.174.96.71","88.119.175.194")

    Detection Query 3 : 

    sha256hash IN ("69a20bae02480e03cb36e26729ed4a74c613eee5ba8c44396655da84a851fd03","d53f5c10f07d4610a0fa1b6a8638648e4ab5370377364a2cc7aff4bb75c4d71b","0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298")

    Reference:    

    https://www.cybereason.com/blog/blacksuit-data-exfil                   


    Tags

    MalwareRansomwareBlacksuitRoyalRansomwareCobalt StrikeRDPRclonePsExec

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.