BlackSuit Ransomware Group Targets Northwestern Community Services Board

Northwestern Community Services Board (NWCSB), a public behavioral health organization based in the Shenandoah Valley of Virginia, has fallen victim to a ransomware attack orchestrated by the BlackSuit group. The attack, which was identified on August 9, 2023, has resulted in the exfiltration of approximately 34 GB of sensitive data from the organization.

About Northwestern Community Services Board

NWCSB is a nonprofit entity that employs over 250 professionals dedicated to providing a comprehensive range of services aimed at supporting individuals affected by emotional and behavioral disorders, mental illness, substance use, and intellectual and developmental disabilities. The organization serves several counties, including Clarke, Frederick, Page, Shenandoah, and Warren, along with the City of Winchester. Their services include outpatient care, case management, psychiatric rehabilitation, emergency services, prevention programs, and peer recovery services.

Attack Overview

The BlackSuit ransomware group claims to have exfiltrated data stored in the directory Y:\jerseynwcsb\DATA\Shares, which includes subdirectories such as Implementation, PACT, Payroll, PSH, Site Timesheets, Statements, and users. The total number of files listed is 36,045, amounting to approximately 36.3 GB, with 9,110 directories and around 9.78 TB of free space remaining. This breach poses a significant threat to the confidentiality and integrity of NWCSB's data.

About BlackSuit Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and is closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The ransom note includes a reference to a Tor chat site where victims can contact the operators. Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit may be a new variant developed by the same authors, a copycat, or an affiliate of the Royal ransomware gang.

Potential Vulnerabilities

NWCSB's extensive range of services and large workforce make it a prime target for ransomware attacks. The organization's reliance on digital records and sensitive data related to mental health, substance use, and developmental services increases its vulnerability. The attack highlights the critical need for enhanced cybersecurity measures to protect sensitive information in the healthcare sector.

• Northwestern Community Services Board
• BlackSuit Ransomware Analysis
• Bleeping Computer: Ransomware in the Public Sector
• SentinelOne: Hypervisor Ransomware
• NWCSB LinkedIn Profile