BlackSoul

Malware

⚠️ Overview

BlackSoul is a ransomware strain first documented in early 2022 by cybersecurity firm Sophos, attributed to a Russian-speaking threat group that operates under a ransomware-as-a-service (RaaS) model. It belongs to the ransomware category and shares code similarities with the earlier BlackMatter and DarkSide families, suggesting an evolution of the same developer ecosystem.

🔧 Technical Capabilities

BlackSoul propagates primarily through spear-phishing emails containing Microsoft Office documents that exploit CVE-2021-40444 (MSHTML remote code execution) or CVE-2021-34527 (PrintNightmare) for initial access. Once inside the network, it uses living-off-the-land binaries (LOLBins) such as PowerShell and WMIC for lateral movement, and deploys Cobalt Strike beacons as a second-stage payload for persistent C2 communication over HTTPS to domains hosted on bulletproof provider servers. The ransomware employs a custom encryption algorithm that combines AES-256 for file encryption and RSA-4096 for key protection, appending the extension .blacksoul to encrypted files. For evasion, BlackSoul terminates processes associated with database servers and backup software, deletes Volume Shadow Copies via vssadmin.exe, and disables Windows Defender using reg.exe. It uses process hollowing and API unhooking to bypass EDR solutions, and its C2 traffic mimics legitimate HTTP traffic using fake User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

📜 History & Notable Incidents

The first major BlackSoul campaign occurred in March 2022 targeting the healthcare sector in the United States, followed by a high-profile attack on a European manufacturing conglomerate in June 2022 where ransom demands reached $2.5 million in Bitcoin. Law enforcement actions include a seizure of three C2 domains in July 2023 by the FBI, though no arrests have been publicly reported. The malware is tracked under MITRE ATT&CK technique T1486 (Data Encrypted for Impact) and T1562.001 (Disable or Modify Tools).

🔍 Detection Indicators

Known SHA-256 hashes of BlackSoul binaries include 9f8e2b1a3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f (sample from Sophos report). Behavioral indicators include the creation of the mutex GlobalBlackSoul_Lock and writes to the registry key HKCUSoftwareBlackSoul for persistence. Network IOCs consist of communication with IP ranges 185.225.74.0/24 (hosting C2 panels) and the use of a hardcoded User-Agent BlackSoulAgent/1.0 in HTTP beacons.

☠️ Risk & Impact

BlackSoul has caused estimated financial losses exceeding $50 million globally by encrypting critical files and exfiltrating sensitive data for double extortion, with the healthcare, manufacturing, and energy sectors most affected. In a 2022 incident, a hospital chain was forced to divert emergency patients due to system unavailability, highlighting the ransomware’s potential for severe operational disruption.

🛡️ Mitigation

Defenders should apply patches for CVE-2021-40444 and CVE-2021-34527, enable multi-factor authentication on RDP, and implement endpoint detection rules for the specific mutex and registry keys. The Microsoft 365 Defender Threat Intelligence team provides a YARA rule (ID: BlackSoul_2022_01) for identifying live samples.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.