Threat Research

A recent ransomware attack revealed distinct tactics by the BlackSuit group, believed to be a rebrand of Royal, which evolved from Conti. They used tools like Cobalt Strike, rclone, RDP, psexec, and vssadmin in a multi-stage operation targeting data exfiltration and encryption. BlackSuit uniquely exfiltrates and deletes some data before encryption to speed up the process....

A new Chaos ransomware group is carrying out double extortion attacks using spam, social engineering, and remote tools. Their ransomware is fast, stealthy, and hits both local and network systems. Though sharing a name with older variants, this group is likely unrelated and may include ex-BlackSuit (Royal) members....

This report examines a recent ransomware attack by the BlackSuit group, a successor to the Royal ransomware family. Known for its hybrid tactics, BlackSuit combines data exfiltration with encryption, using advanced tools like PsExec, Cobalt Strike, RDP, and rclone to execute commands, move laterally, and extract data....

The threat actor gained initial access via a fake Zoom installer, deploying d3f@ckloader and IDAT loader to drop SectopRAT. After nine days, SectopRAT delivered Cobalt Strike and Brute Ratel, enabling lateral movement through remote services and RDP. To facilitate RDP movement, the attacker used QDoor, a malware with proxy capabilities....