Ransomware Group BlackSuit Upgrades Capabilities

Computer code on a screen with a skull representing a computer virus / malware attack.

Ransomware group formerly known as Royal changes name to BlackSuit, adds capabilites to malware, say FBI and CISA

A ransomware group that first came to notice in 2022 has already demanded more than $500 million (£392m) in ransom payments and was active as recently as June, the US Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency (CISA) have said in a new joint advisory.

The group has demanded ransom payments typically from $1m to $10m, with the largest being $60m, in exchange for deleting stolen data and restoring encrypted systems, the advisory said.

The agencies said the group, formerly known as Royal, is now operating under the name BlackSuit.

The BlackSuit ransomware “shares numerous coding similarities” with Royal and includes improved capabilities, the agencies said.

Disruption

International law enforcement agencies in countries including the UK have recently taken more aggressive action against ransomware groups by taking down the infrastructure used by major gangs, but the malware remains a hugely disruptive force for organisations.

BlackSuit has targeted commercial facilities, healthcare, government and manufacturing organisations, the FBI and CISA said.

The group typically enters an organisation’s network via a phishing email or using Remote Desktop Protocol (RDP) and exfiltrates a large amount of data before encrypting users’ systems and rendering them unusable.

If a ransom is not paid it releases the data on a leak site.

BlackSuit employs partial encryption that allows the attackers to specify what percentage of a file to encrypt, improving speed and helping to evade detection, the advisory said.

The FBI observed BlackSuit using legitimate remote monitoring and management tools to maintain persistence and exfiltrating data with legitimate penetration testing software, such as Cobalt Strike.

Prevention

The group has increasingly contacted organisations directly via telephone or email to demand a ransom.

The agencies said users can help prevent attacks by educating users to identify and report phishing attempts and by enforcing multifactor authentication, amongst other measures.

“The Royal ransomware gang was first spotted in 2022, so the fact that the group has already set out demands totalling over $500m demonstrates its success,” said Cassius Edison, head of professional services at Closed Door Security.

“Regardless of whether a victim paid or didn’t pay, they still would have suffered serious losses that would have impacted their operations, customers, employees and finances.”