Connect with us

Tech News

Royal ransomware crew puts on a BlackSuit in rebrand

Published

on

Royal ransomware crew puts on a BlackSuit in rebrand

The cyber criminal ransomware gang formerly known as Royal has rebranded itself as BlackSuit and is actively targeting organizations across various sectors with significant extortion demands, according to a warning from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) as part of its ongoing #StopRansomware campaign.

Believed to have roots in the now-defunct Conti operation and potential connections to other groups like Black Basta and Hive, Royal operated for around nine months between the fall of 2022 and the summer of 2023, carrying out a series of destructive attacks during that time.

BlackSuit, which has emerged a year later, has been closely monitored by both CISA and the FBI. Analysis of known cyber attacks has revealed that its ransomware locker shares significant coding similarities with Royal’s and shows “enhanced capabilities.”

CISA noted that “BlackSuit employs a unique partial encryption method that enables the threat actor to select a specific percentage of data within a file to encrypt.” This allows the gang to lower the encryption percentage for larger files, making it harder to detect and significantly increasing the speed of the ransomware operation.

Like other cybercriminal groups, BlackSuit primarily uses phishing emails to gain initial access. However, they are also known to exploit Remote Desktop Protocol (RDP), vulnerabilities in public-facing web applications, and the services of initial access brokers (IABs).

Once inside a victim’s system, BlackSuit operatives disable antivirus software before carrying out data exfiltration and extortion activities. If the ransom is not paid, the encrypted data is published on a dark web leak site.

According to CISA, the gang has demanded over $500 million in total, with ransom amounts typically ranging from $1 million to $10 million, although there have been demands as high as $60 million.

See also  NYT Mini Crossword today: puzzle answers for Saturday, June 15

Unlike other ransomware groups, BlackSuit does not make a ransom demand immediately after the initial attack. Instead, victims must engage directly with negotiators through a Tor Onion URL provided after data encryption. The gang has also been known to use phone calls and emails to apply pressure on victims.

Martin Kraemer, security awareness advocate at KnowBe4, commented: “The BlackSuit ransomware group is notorious for using aggressive tactics to extort money. They are willing to threaten businesses with exposing corporate misconduct, intimidate employees’ relatives, or blackmail individuals by revealing illegal activities.”

He added, “Organizations must be prepared. Crisis management and incident response teams should work closely with PR departments to manage the level of transparency and mitigate damage to employee and consumer trust. With the rise of targeted disinformation, PR departments must be ready to address and control narratives that could harm the company significantly.”

For more information on BlackSuit, including updated indicators of compromise (IoCs), visit the CISA website.

Trending