The Post and Courier Targeted by BlackSuit Ransomware Gang

Attack Details

The BlackSuit ransomware gang has attacked The Post and Courier and exfiltrated 500GB of internal files, subscriber data, and employee data. The information allegedly included employees’ Social Security Numbers, passports, driver’s licenses, and other documents. Subscriber data allegedly includes credit card payment information, postal and email addresses, and contact information. An initial ransom of $1,750,000 was demanded, but after further discussion, BlackSuit agreed to give them a 50% discount, but only if they paid in 48 hours.

About The Post and Courier

The Post and Courier is the main daily newspaper in Charleston, South Carolina. It traces its ancestry to three newspapers: the Charleston Courier, founded in 1803; the Charleston Daily News, founded in 1865; and The Evening Post, founded in 1894.

BlackSuit Ransomware Group

BlackSuit is a recently emerged ransomware group and strain that bears a striking resemblance to the Royal ransomware gang, the successor of the infamous Russian-linked Conti operation. Previous reports have been made on the Windows and Linux variants of Royal. Similar to Royal, BlackSuit is known for targeting both Windows and Linux systems.

The YARA rules for the Linux variant of BlackSuit also match samples of the Royal Linux variant. It has been stated that Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool.

Although BlackSuit utilizes command line arguments that function similarly to those used by Royal, the strings employed in the arguments differ. Moreover, BlackSuit uses extra arguments that are not present in Royal ransomware.

Regarding the 32-bit Windows variants of BlackSuit and Royal ransomware families, researchers noted 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff. While BlackSuit and Royal Windows variants use different argument strings, the purposes of these arguments are similar.

Both BlackSuit and Royal utilize OpenSSL's AES for encryption and leverage comparable intermittent encryption techniques for fast and efficient encryption of victim files. Once the files are encrypted on a victim machine, BlackSuit appends the .blacksuit extension to encrypted files and presents its ransom note. The ransom note contains the ransomware's TOR chat site and a unique ID for each affected victim.

BlackSuit threat actors employ a leaks site and a double extortion model, demanding ransom for unlocking files and not leaking stolen information.