The Evolution of Threat Landscapes: A Royal BlackSuit and Hacking-as-a-Service
In the continually shifting arena of cybersecurity threats, recent insights point towards a crucial change in the strategies adopted by threat actors. One key development is the emergence of ransomware strains such as BlackSuit and Royal, capable of targeting multiple operating systems (OS) concurrently.
Let’s explore more about these threats.
Background on BlackSuit and Royal
Traditionally, due to the extensive installed base, threat actors have preferred Windows systems. However, the emergence of BlackSuit and Royal indicates a shift towards more critical targets.
Rather than predominantly targeting client devices that typically contain a minor subset of data, threat actors are now developing malware to aim at file servers, database servers, and web servers. A large portion of these servers operate on Linux, implying that the potential harm and disruption caused by such attacks can be substantial.
Though by no means the first instance of Linux-targeting malware, it’s relatively uncommon for a single malware strain to target more than one OS. The dual-targeting capability of both BlackSuit and Royal marks a significant trend that CISOs, CIOs, and IT decision-makers must take into account.
The remarkable similarity between BlackSuit and Royal, displaying near-identical functional resemblance, suggests a probable knowledge transfer, technological exchange, or collaboration between different threat actors. Alternatively, this could indicate the evolution of a single threat actor augmenting its tools of the trade.
Furthermore, the Royal Ransomware gang, known for its aggressive approach towards small and mid-sized businesses in the U.S., as well as healthcare, education, and public sector entities worldwide, leverages a Ransomware-as-a-Service (RaaS) model. In this model, the ransomware provider hosts the malware, infrastructure, and ransom payment system, providing affiliates access to the system. The affiliates are responsible for infecting victims and extorting them for payment. The RaaS provider, in return, takes a cut of the profits, thus allowing cybercriminals to launch attacks with lower upfront investment and high levels of anonymity.
The evolution of the ransomware ecosystem is part of a larger trend called hacking-as-a-service (HaaS). This model lowers the barrier of entry, allowing individuals with basic skills to launch complex attacks, such as phishing and DDoS, more frequently. Services like phishing kits and DDoS packages available on the dark web facilitate rapid and extensive attacks, and the rise of coding-capable AI bots only compounds the problem.
To mitigate risks associated with these changing threat landscapes, organizations need to proactively upgrade their cyber defense strategies. Regular monitoring of the dark web, phishing domains, and social media can help identify potential threats early and enable proactive response measures.
As the cyber threat landscape continues to evolve, the requirement for comprehensive, proactive cyber defense strategies becomes increasingly crucial. The emergence of multi-OS targeting ransomware and the growth of HaaS underline the constant flux in this arena. Staying informed of these trends and adapting cyber defense strategies accordingly is vital for organizations to safeguard their systems and data.
One strategy that organizations can add to their toolbelt is live patching. Live patching is an automatable, non-disruptive vulnerability patching approach that enables organizations to put patching on autopilot so that patches are deployed in the background while systems are running – without reboots or downtime involved.
By patching without reboots, CVE patches can be deployed as soon as they’re available – so your team doesn’t leave your systems vulnerable for any longer than they need to be, which is typical of a conventional patching approach.
Learn all about live patching here.