Hackers are using fake Zoom installer apps to trick users into downloading the hostile BlackSuit ransomware that takes over systems and steals data.
Researchers at DFIR have found that the attack is being initiated through a fraudulent Zoom installer. This installer deceives unsuspecting users into downloading malware from a convincing replica of Zoom’s website.
Windows users are at risk of infection from BlackSuit ransomware, a well-documented cyber threat that has previously targeted schools, healthcare organisations, and other essential services. Once the malicious software infiltrates a system, it remains inactive for several days, evading immediate detection.
When triggered, it executes a coordinated assault, extracting sensitive data, encrypting critical files, and issuing a ransom demand to restore access.
More Specifics on How the Malware Works
The BlackSuit ransomware attack begins with a fraudulent website, zoommanager[.]com, impersonating Zoom to trick users into downloading a malicious loader. Once installed, the malware disables Windows Defender, remains undetected, and retrieves further payloads via a Steam Community page.
To evade suspicion, it downloads both a genuine Zoom installer and malicious software, then injects itself into MSBuild.exe, a trusted Microsoft process. After eight days of dormancy, it activates, gathering system data, deploying Cobalt Strike for lateral movement, and installing QDoor for remote access.
Finally, it exfiltrates critical data before unleashing BlackSuit ransomware, which encrypts files and demands payment.
The History of the BlackSuit Ransomware
The BlackSuit ransomware gang emerged in early 2023 and quickly gained notoriety for targeting healthcare, education, and other critical sectors.
In early 2024, it attacked South Carolina’s Kershaw County School District (KCSD), claiming to have stolen 17GB of sensitive data. In June 2024, BlackSuit was linked to a crippling ransomware attack on CDK Global, forcing US car dealerships to revert to manual operations. Reports suggest CDK paid the ransom to restore services.
That same month, the gang targeted the Kansas City Police Department (KCKPD). When the department refused to pay, BlackSuit leaked highly sensitive law enforcement data, including payroll records, homicide crime scene photos, and fingerprint databases.
BlackSuit also allegedly breached Kansas City Hospice, a nonprofit providing end-of-life care, adding it to its victim list on October 19th, according to Cybernews’ Ransomlooker monitoring tool.
What Lessons Can IT Leaders Learn From This Threat?
The BlackSuit ransomware campaign highlights the evolving sophistication of cyber threats and the devastating impact on critical sectors. IT leaders can take a proactive, multi-layered approach to cybersecurity to mitigate risks and enhance resilience.
Strict software verification is essential. The attack leveraged a fake Zoom installer, emphasising the need for zero-trust policies and app allowlisting to prevent unauthorised software execution. Endpoint detection and response (EDR) solutions can also pinpoint unusual activity before malware takes hold.
Second, early threat detection and incident response planning are invaluable. BlackSuit remained dormant for days before activating, underscoring the importance of continuous network monitoring and behavioural anomaly detection to identify stealthy intrusions. Regular red team exercises and tabletop simulations mean teams are prepared for speedy containment and recovery.
Third, data protection and segmentation can impede ransomware spread. Regular, immutable backups stored offline help restore systems without paying ransoms. Network segmentation can limit lateral movement, preventing widespread compromise.
Finally, employee awareness and phishing defences remain critical. Many ransomware infections begin with social engineering, making regular security training and phishing simulations indispensable.
By adopting these strategies, IT leaders can fortify their defences, minimise disruption, and safeguard their organisations from ransomware threats like BlackSuit.
What Other Zoom News Has Happened Recently?
At last month’s Enterprise Connect event in Florida, Zoom unveiled a swathe of new agentic AI Companion innovations to elevate productivity and collaboration.
Zoom is expanding its AI Companion capabilities across its entire platform, integrating advanced AI-driven features into Zoom Meetings, Zoom Team Chat, Zoom Docs, Zoom Phone, Zoom Whiteboard, Zoom Contact Center, and specialised industry solutions. These enhancements introduce new AI-powered skills, intelligent agents, and advanced models to improve efficiency, enhance collaboration, and strengthen user engagement.
Among the latest AI-driven features are calendar management for simplified scheduling, clip generation for rapid video creation, and advanced writing assistance to support more efficient document development. Notably, Zoom AI Companion remains available at no additional cost for users with paid Zoom accounts, ensuring broad access to these productivity-boosting tools.
Additionally, Zoom announced that its Workplace for Clinicians solution is now generally available.
Zoom emphasises that Workplace for Clinicians is tailored to optimise clinical workflows, enabling doctors, nurses, and other healthcare professionals to focus more on patient care and engagement while reducing the burden of documentation and admin tasks. Zoom has introduced a select beta for Custom AI Companion for Healthcare, a new capability that will allow healthcare IT decision-makers to personalise AI Companion experiences.
Join the UC Community That’s Shaping the Future
Connect with thousands of UC pros, share your voice, and stay ahead of the curve. Be heard, be inspired, and help shape what’s next in Unified Communications. Join the conversation today.
