The ransomware group BlackSuit, formerly known as Royal [1] [3] [5], has rebranded and is now targeting organizations with significant extortion demands [1].
Description
They have demanded over $500 million from victims in less than two years [2], with individual demands reaching up to $60 million [6]. BlackSuit has links to other crews such as Black Basta and Hive [1], and uses a unique partial encryption approach to evade detection [1]. Ransom demands typically range from $1 million to $10 million [4], with payments in Bitcoin [5]. They employ double extortion tactics, threatening to leak victims’ data if payment is not made [2]. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an advisory on BlackSuit [6], noting that the threat actors are willing to negotiate payment amounts [6]. The group has targeted critical infrastructure sectors such as commercial facilities [5], healthcare [5], government [2] [5], and manufacturing [5], resulting in widespread disruption [2]. Victims are typically targeted through phishing emails [2], with the group disabling antivirus software and exfiltrating data before deploying ransomware [2]. In total [2] [4], BlackSuit has targeted 350 global victims [2], demanding $275 million in ransom payments. Ransom amounts are not specified in the initial ransom note [6], but require direct interaction with the threat actor via a .onion URL provided after encryption [6].
Conclusion
The actions of BlackSuit have had significant impacts on various sectors, leading to financial losses and operational disruptions. Organizations should prioritize cybersecurity measures to prevent falling victim to such attacks. Collaboration between law enforcement agencies and cybersecurity experts is crucial in combating ransomware groups like BlackSuit. The evolving tactics of these threat actors highlight the need for continuous vigilance and proactive defense strategies in the face of cyber threats.
References
[1] https://www.computerweekly.com/news/366602360/Royal-ransomware-crew-puts-on-a-BlackSuit-in-rebrand
[2] https://www.infosecurity-magazine.com/news/blacksuit-royal-ransomware-500m/
[3] https://www.altusintel.com/public-yyc97p/?tt=1723105984
[4] https://www.waterisac.org/portal/cisa-alert-%E2%80%93-royal-ransomware-actors-rebrand-%E2%80%9Cblacksuit%E2%80%9D-fbi-and-cisa-release-update-joint
[5] https://securityaffairs.com/166760/hacking/blacksuit-ransomware-group-advisory.html
[6] https://thehackernews.com/2024/08/fbi-and-cisa-warn-of-blacksuit.html
