FBI Issues Warning as 'Men in Black' Hackers Demand $60 Million Ransom
In an August 7 update, law enforcement and security agencies detailed the tactics, techniques, and procedures (TTPs) used by the BlackSuit ransomware group
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released an updated advisory regarding a ransomware group demanding up to $60 million from its victims, with a total of $500 million extorted so far. This group, previously known as Royal Ransomware, has rebranded as BlackSuit. Despite the name change, the FBI, known for its agents dressed in black, remains fully committed to tracking down these criminals.
FBI Exposes BlackSuit's Methods
In an August 7 update, law enforcement and security agencies detailed the tactics, techniques, and procedures (TTPs) used by the BlackSuit ransomware group. These TTPs, along with indicators of compromise, were updated with the latest information from July to assist cyber defenders. Advisory code AA23-061A offers technical insights into the group’s operations, explaining how they steal data and demand ransom before encrypting and leaking it to pressure victims.
Social engineering, particularly phishing emails, is the primary method BlackSuit hackers use to infiltrate networks. Once inside, they disable security measures and exfiltrate data before deploying ransomware to encrypt systems.
BlackSuit Ransoms Between $1 Million and $60 Million
BlackSuit's ransom demands typically range from $1 million to $10 million, depending on the victim, with the highest demand reaching $60 million. Negotiation is often part of the process, but the $60 million figure represents the upper end of their demands. Notably, the highest ransom ever paid, to the Dark Angels group, was $75 million. Instead of demanding a ransom in the initial communication, BlackSuit provides a dark web link for direct contact. They may also escalate threats through phone calls or emails, similar to traditional extortion practices.
Dr. Martin Kraemer, a security advocate at KnowBe4, stated that BlackSuit is known for its aggressive tactics, which include threatening to expose corporate misconduct, intimidating employees’ families, or blackmailing them by revealing illegal activities.
Mitigating BlackSuit Attacks
To counter BlackSuit ransomware, the FBI advises organizations to implement strong password protections, including multi-factor authentication (MFA) and lockout mechanisms after multiple failed attempts. Prompt patching of systems is crucial to close vulnerabilities that attackers may exploit. Network segmentation can also minimize damage in the event of a breach.
Cassius Edison, head of professional services at Closed Door Security, emphasized that "prevention is the best defense against ransomware," urging organizations to use FBI insights to bolster their defenses.
MFA Vulnerabilities and Bypassing Security
Earlier this year, Google's cybersecurity subsidiary Mandiant was hit by a scam after an attacker hacked its X (formerly Twitter) account to carry out cryptocurrency fraud. Even MFA can be bypassed, as hackers employ techniques like stealing authentication tokens.
A Malwarebytes Labs researcher in January detailed how Google’s MFA can be compromised. Using Trojans to steal data from victims' systems, hackers can circumvent MFA protections. For instance, Meduza Stealer is a tool that targets data from browsers, MFA apps, crypto wallets, and password managers, making it difficult for antivirus software to detect.
Data interception is a common tactic used to bypass MFA. Attackers can intercept emails, gaining one-time codes without victims’ knowledge. Notifications from authentication apps can also be captured using spyware. Keyloggers, which record keystrokes, have been used to breach platforms like LastPass, enabling hackers to access customer data by compromising a key employee’s device.
Hackers can also steal cookies from infected devices using malware like Emotet, enabling them to bypass authentication measures. In some cases, they may impersonate a user to order a new SIM card, granting them full access to SMS-based MFA codes.
Social Engineering: Old Tricks with New Twists
Despite technological advances, scammers continue to exploit social engineering techniques, such as phishing and fake login pages, to steal data. A more recent method, known as MFA fatigue or push spam, bombards users with nonstop login requests until they eventually approve the access, either accidentally or out of frustration.
In this type of attack, the user is overwhelmed by continuous push notifications on their mobile device. Hackers hope the victim will approve the login request to stop the flood of notifications. If that fails, the hacker may pose as a trusted source and convince the user to approve a specific login attempt.
How to Use MFA Safely
While MFA is not foolproof, it remains a critical security tool. By complicating the path for attackers, MFA lowers the chances of a successful breach. Here are some tips for safe MFA use:
Only approve MFA requests that you initiated. If you receive an unexpected push notification or SMS code, do not approve it.
Use an authenticator app like Google Authenticator instead of SMS-based MFA, which is more vulnerable to interception.
Regularly review account activity for unauthorized logins or changes.
Stay vigilant for phishing scams designed to steal MFA codes.
Enable notifications for account changes, such as password resets, to act quickly if your account is compromised.
Combine MFA with strong, unique passwords.
Keep your devices secure with passwords, PINs, or biometrics, and install trusted antivirus software to detect malware.
What's Your Reaction?