Ransomware Attack on Arango Billboard & Construction by BlackSuit Group

Overview of Arango Billboard & Construction

Arango Billboard & Construction Co LLC, headquartered in Miami, Florida, specializes in the design, construction, and maintenance of outdoor advertising structures, commonly known as billboards. The company provides a full suite of services, including initial consultation, site selection, design, construction, and ongoing maintenance. Their expertise in creating visually appealing and structurally sound billboards has established them as a significant player in the outdoor advertising industry.

With a workforce of 21-50 employees and generating revenue between $5M-$10M, Arango Billboard & Construction is a mid-sized company. They are authorized by the Federal Motor Carrier Safety Administration (FMCSA) to operate in the passenger, property, and household goods transportation sectors. Despite their success, the company is not accredited by the Better Business Bureau (BBB).

Details of the Ransomware Attack

On June 26, 2024, Arango Billboard & Construction was targeted by a ransomware attack executed by the BlackSuit ransomware group. The attack led to a data breach of an unspecified size, severely disrupting the company's operations. The BlackSuit group claimed responsibility for the attack on their dark web leak site, a common tactic used to pressure victims into paying the ransom.

About the BlackSuit Ransomware Group

BlackSuit is a relatively new ransomware family that surfaced in 2023. It shares significant similarities in code and functionality with the notorious Royal ransomware group. BlackSuit targets both Windows and Linux systems, including VMware ESXi servers. The ransomware appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note directs victims to a Tor chat site to communicate with the operators.

Researchers have noted a high degree of similarity between BlackSuit and Royal ransomware, suggesting that BlackSuit could be a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang. The emergence of BlackSuit indicates that the threat actors behind Royal may have inspired other cybercriminals to develop similar ransomware families.

Potential Vulnerabilities and Attack Penetration

Arango Billboard & Construction's mid-sized status and lack of BBB accreditation may have made them an attractive target for ransomware groups like BlackSuit. Companies of this size often have fewer resources dedicated to cybersecurity compared to larger enterprises, making them more vulnerable to sophisticated cyberattacks. The specific vulnerabilities exploited by BlackSuit in this attack are not publicly known, but common entry points for ransomware include phishing emails, unpatched software, and weak network security protocols.

Given BlackSuit's ability to target both Windows and Linux systems, including critical VMware ESXi infrastructure, it is likely that the ransomware group used a combination of these methods to infiltrate Arango Billboard & Construction's systems. The attack highlights the importance of robust cybersecurity measures, even for mid-sized companies in specialized industries like outdoor advertising.

Sources

• Security Affairs: BlackSuit Ransomware
• Bleeping Computer: The Week in Ransomware
• SentinelOne: Hypervisor Ransomware
• Arango Billboard & Construction Official Website