View Categories

Detect and respond to BlackSuit ransomware with Argus

13 min read

BlackSuit ransomware is malicious software that targets high-value organizations, encrypting critical data and causing significant operational disruptions and financial losses. It requires command-line arguments to execute, and it appends a random 32-character value, such as -name, to its commands. To prevent file recovery, BlackSuit deletes Volume Shadow Copies using a hidden VSSADMIN command. It also utilizes the Microsoft-Windows-RestartManager to check if files are used before encrypting them. The ransomware creates a ransom note, README.BlackSuit.txt, in multiple directories and appends the .blacksuit extension to encrypted files on both endpoints and mounted shares. Detecting and responding to this threat is crucial for organizations to protect their assets and ensure business continuity.

Analyzed IOC

Hash AlgorithmValue
SHA25690ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
MD5748de52961d2f182d47e88d736f6c835

Architecture

  • Argus server or Argus manager
  • A windows endpoint with argus agent installed

Windows endpoint

Steps to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Argus server for analysis.

  1. Download Sysmon from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
  2. Extract the compressed Sysmon file to your preferred location.
  3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

 wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

  • Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges

 .\Sysmon64.exe -accepteula -i sysmonconfig.xml

  • Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Argus server:

    <localfile>

        <location>Microsoft-Windows-Sysmon/Operational</location>

       <log_format>eventchannel</log_format>

    </localfile>

  • Restart the Argus agent

    Restart-Service -Name wazuh

Argus server

we create rules to detect the activities of BlackSuit ransomware on the monitored endpoint.

  1. Create a file blacksuit_ransomware.xml in the /var/ossec/etc/rules/ directory
  2. Add the following rules to the /var/ossec/etc/rules/blacksuit_ransomware.xml file

         <group name=”BlackSuit, ransomware,”>

<!– Ransomware execution –>

  <rule id=”100011″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i).*.exe\s+-name\s\d{32}$</field>

     <description>Possible BlackSuit ransomware executed.</description>

    <mitre>

       <id>T1059</id>

       <id>T1086</id>

    </mitre>

  </rule>

<!– Inhibit system recovery –>

  <rule id=”100012″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)vssadmin.exe\\”\sDelete\sShadows\s\/All\s\/Quiet</field>

    <description>Volume shadow copy deleted using $(win.eventdata.originalFileName). Potential ransomware activity detected.</description>

    <mitre>

      <id>T1490</id>

      <id>T1059.003</id>

    </mitre>

  </rule>

<!– Ransom note file creation –>

  <rule id=”100013″ level=”15″ timeframe=”100″ frequency=”2″>

    <if_sid>61613</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>\.exe</field>

    <field name=”win.eventdata.targetFilename” type=”pcre2″>(?i)[C-Z]:.*.\\README.BlackSuit.txt</field>

    <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. BlackSuit ransomware detected.</description>

    <mitre>

      <id>T1059</id>

    </mitre>

  </rule>

</group>

  • Restart the Argus server

      systemctl restart wazuh-manager

Monitoring the Alerts

  1. Navigate to Threat Hunting > Events
  2. Click on Add filter
  3. Filter for rule.id in the Field
  4. Filter for is one of  Operator and give 100011, 100012, 100013 in the Values field
  5. Click on Save

Detecting and removing malicious files utilizing YARA integration

Argus integrates with YARA, a tool for detecting and classifying malware artifacts. This integration scans files added or modified on a Windows endpoint to identify potential malware.

The Argus File Integrity Monitoring (FIM) module is configured to monitor changes in a designated folder. When new files are added or existing ones are modified, the Argus Active Response module automatically triggers a YARA scan, identifying potentially malicious files based on predefined rules.

Windows endpoint

Download Python from its official website

Proceed with the next steps to download the YARA executable.

  1. Run the command to download YARA in PowerShell as an administrator

Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip

  • Extract the downloaded YARA file

   Expand-Archive v4.3.2-2150-win64.zip

  • Create a folder C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it

   mkdir ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\’

cp .\v4.3.2-2150-win64\yara64.exe ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\’

  • In the same PowerShell terminal that was opened earlier, use the pip utility to install valhallaAPI. This API is used to retrieve the public signature-based YARA ruleset

    pip install valhallaAPI

  • Create a file download_yara_rules.py, and paste the below script into it

    from valhallaAPI.valhalla import ValhallaAPI

v = ValhallaAPI(api_key=”1111111111111111111111111111111111111111111111111111111111111111″)

response = v.get_rules_text()

with open(‘yara_rules.yar’, ‘w’) as fh:

    fh.write(response)

  •  Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder

python download_yara_rules.py

mkdir ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\’

cp yara_rules.yar ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\’

  • Edit the downloaded YARA rule C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following BlackSuit ransomware rule:

             rule BlackSuit_ransomware {

   meta:

      description = “BlackSuit ransomware executable detection”

      author = “Aishat Motunrayo Awujola”

      reference = “https://github.com/Neo23x0/yarGen”

      date = “2024-10-03”

hash1= “90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c”

   strings:

      $x1 = “C:\\Users\\pipi-\\source\\repos\\encryptor\\Release\\encryptor.pdb” fullword ascii

      $s2 = “api-ms-win-core-synch-l1-2-0.dll” fullword wide /* reversed goodware string ‘lld.0-2-1l-hcnys-eroc-niw-sm-ipa’ */

      $s3 = “C:\\Users\\Adm\\vcpkg\\packages\\openssl_x86-windows-static\\bin” fullword ascii

      $s4 = “C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\ciphers\\cipher_aes_hw_aesni.inc” ascii

      $s5 = “C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\ciphers\\cipher_aes_cts.inc” fullword ascii

      $s6 = “C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\macs\\blake2_mac_impl.c” fullword ascii

      $s7 = “get_payload_private_key” fullword ascii

      $s8 = “C:\\Users\\Adm\\vcpkg\\packages\\openssl_x86-windows-static\\lib\\engines-3” fullword ascii

      $s9 = “C:\\Users\\Adm\\vcpkg\\packages\\openssl_x86-windows-static” fullword ascii

      $s10 = “get_payload_public_key” fullword ascii

      $s11 = “C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\crypto\\err\\err_local.h” fullword ascii

      $s12 = “C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\providers\\implementations\\ciphers\\cipher_camellia_cts.inc” ascii

      $s13 = “C:\\Windows\\Sysnative\\bcdedit.exe” fullword wide

      $s14 = “C:\\Windows\\Sysnative\\vssadmin.exe” fullword wide

      $s15 = “error processing message” fullword ascii

      $s16 = “C:\\Users\\Adm\\vcpkg\\buildtrees\\openssl\\x86-windows-static-rel\\engines\\e_capi_err.c” fullword ascii

      $s17 = “AppPolicyGetProcessTerminationMethod” fullword ascii

      $s18 = “get_dh_dsa_payload_p” fullword ascii

      $s19 = “loader incomplete” fullword ascii

      $s20 = “get_payload_group_name” fullword ascii

   condition:

      uint16(0) == 0x5a4d and filesize < 7000KB and

      1 of ($x*) and 4 of them

}

  • Edit the C:\Program Files (x86)\ossec-agent\ossec.conf file and add the configuration below within the <syscheck> block to monitor the Downloads folders of all users in real-time using the Argus FIM module

<directories realtime=”yes”>C:\Users\*\Downloads</directories>

  • Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder.
  1. Copy the script below into the yara.bat file. The Argus Active Response module automatically runs this file to perform YARA scans for malware detection and removal:

  :: This script deletes BlackSuit ransomware as well as other malicious files matched by the YARA Rules

@echo off

setlocal enableDelayedExpansion

reg Query “HKLM\Hardware\Description\System\CentralProcessor\0” | find /i “x86” > NUL && SET OS=32BIT || SET OS=64BIT

if %OS%==32BIT (

    SET log_file_path=”%programfiles%\ossec-agent\active-response\active-responses.log”

)

if %OS%==64BIT (

    SET log_file_path=”%programfiles(x86)%\ossec-agent\active-response\active-responses.log”

)

set input=

for /f “delims=” %%a in (‘PowerShell -command “$logInput = Read-Host; Write-Output $logInput”‘) do (

    set input=%%a

)

set json_file_path=”C:\Program Files (x86)\ossec-agent\active-response\stdin.txt”

set syscheck_file_path=

echo %input% > %json_file_path%

FOR /F “tokens=* USEBACKQ” %%F IN (`Powershell -Nop -C “(Get-Content ‘C:\Program Files (x86)\ossec-agent\active-response\stdin.txt’|ConvertFrom-Json).parameters.alert.syscheck.path”`) DO (

SET syscheck_file_path=%%F

)

set yara_exe_path=”C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe”

set yara_rules_path=”C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar”

echo %syscheck_file_path% >> %log_file_path%

for /f “delims=” %%a in (‘powershell -command “& \”%yara_exe_path%\” \”%yara_rules_path%\” \”%syscheck_file_path%\””‘) do (

    echo wazuh-yara: INFO – Scan result: %%a >> %log_file_path%

    :: Deleting the scanned file.

    del /f “%syscheck_file_path%” >nul 2>&1

if exist “%syscheck_file_path%” (

    echo wazuh-yara: INFO – Error removing threat: %%a >> %log_file_path%

) else (

    echo wazuh-yara: INFO – Successfully deleted: %%a >> %log_file_path%

)

 )

exit /b

  1.  Restart the Argus agent

     Restart-Service -Name wazuh

Argus server

  1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules will trigger alerts for any files added or modified in the Downloads directory on the monitored endpoint.

<group name= “syscheck,”>

  <rule id=”100024″ level=”7″>

    <if_sid>550</if_sid>

    <field name=”file” type=”pcre2″>(?i)C:\\Users.+Downloads</field>

    <description>File modified in the Downloads folder.</description>

  </rule>

  <rule id=”100025″ level=”7″>

    <if_sid>554</if_sid>

    <field name=”file” type=”pcre2″>(?i)C:\\Users.+Downloads</field>

    <description>File added to the Downloads folder.</description>

  </rule>

</group>

  • Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:

<command>

  <name>yara</name>

  <executable>yara.bat</executable>

  <timeout_allowed>no</timeout_allowed>

</command>

<active-response>

  <command>yara</command>

  <location>local</location>

  <rules_id>100024,100025</rules_id>

</active-response>

The Argus Active Response module executes the yara.bat script when a file is added or modified in the Downloads folder.

  • Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script

 <decoder name=”yara_decoder”>

    <prematch>wazuh-yara:</prematch>

</decoder>

<decoder name=”yara_decoder1″>

    <parent>yara_decoder</parent>

    <regex>wazuh-yara: (\S+) – Scan result: (\S+) (\S+)</regex>

    <order>log_type, yara_rule, yara_scanned_file</order>

</decoder>

<decoder name=”yara_decoder1″>

    <parent>yara_decoder</parent>

    <regex>wazuh-yara: (\S+) – Successfully deleted: (\S+) (\S+)</regex>

    <order>log_type, yara_rule, yara_scanned_file</order>

</decoder>

<decoder name=”yara_decoder1″>

    <parent>yara_decoder</parent>

    <regex>wazuh-yara: (\S+) – Error removing threat: (\S+) (\S+)</regex>

    <order>log_type, yara_rule, yara_scanned_file</order>

</decoder>

  • Create custom rules in the /var/ossec/etc/rules/local_rules.xml to generate alerts when YARA active response actions are taken

        <!–  Rule for the decoder (yara_decoder) –>

<group name=”yara,”>

  <rule id=”100026″ level=”0″>

    <decoded_as>yara_decoder</decoded_as>

    <description>Yara grouping rule</description>

  </rule>

<!–  YARA scan detects a positive match –>

  <rule id=”100027″ level=”12″>

    <if_sid>100026</if_sid>

    <match type=”pcre2″>wazuh-yara: INFO – Scan result: </match>

    <description>File “$(yara_scanned_file)” is a positive match. Yara rule: $(yara_rule)</description>

  </rule>

<!–  Wazuh successfully deletes malware with a positive match –>

  <rule id=”100028″ level=”12″>

    <if_sid>100026</if_sid>

    <match type=”pcre2″>wazuh-yara: INFO – Successfully deleted: </match>

    <description>Successfully removed “$(yara_scanned_file)” by active response due to YARA rule $(yara_rule) positive match</description>

  </rule>

<!–  Wazuh encounters an error when deleting malware with a positive match –>

  <rule id=”100029″ level=”12″>

    <if_sid>100026</if_sid>

    <match type=”pcre2″>wazuh-yara: INFO – Error removing threat: </match>

    <description>Error removing “$(yara_scanned_file)”. YARA rule: $(yara_rule)</description>

  </rule>

</group>

  • Restart the Argus manager 

   sudo systemctl restart wazuh-manager

Monitoring the Alerts

Alerts appear on the dashboard when the BlackSuit ransomware executable is detected in the monitored folder, specifically the Downloads folder of the victim endpoint.

1.       Navigate to Threat Hunting > Events

2.       Click on Add filter

3.       Filter for rule.id in the Field

4.       Filter for is one of  Operator and give  100025, 100027, and 100028  in    the Values field

5.       Click on Save

Conclusion

BlackSuit ransomware exemplifies the evolving nature of ransomware, with attackers constantly enhancing their techniques to increase disruption and maximize profit. To counter these threats, organizations must remain vigilant by adopting robust incident response plans and advanced security measures. Detecting and defending against ransomware attacks early is crucial for minimizing the impact of these sophisticated threats.

Leave a Reply

Your email address will not be published. Required fields are marked *