BlackSuit Ransomware

In December 2023 a threat actor used Cobalt Strike (HTTP and SMB beacons proxied via CloudFlare/AWS), in-memory tooling (Rubeus, SharpHound), and SystemBC proxies to escalate, enumerate, and move laterally across an Active Directory environment; after harvesting credentials and mapping targets they distributed and executed BlackSuit ransomware (qwe.exe) via SMB and RDP, deleted shadow copies, and left ransom notes—this report documents the timeline, IoCs (hashes, domains, IPs), forensic artifacts, and detection rules.