The once known cyber criminal gang operating as Royal has rebranded and relaunched as BlackSuit, targeting organizations across various sectors with substantial extortion demands. According to a warning from the US Cybersecurity and Infrastructure Security Agency (CISA), BlackSuit is linked to previous operations like Conti, Black Basta, and Hive, and has been active for about nine months between 2022 and 2023.
The reemergence of BlackSuit has been closely monitored by CISA and the FBI, who have found similarities in coding with Royal’s ransomware locker. BlackSuit has shown improved capabilities, utilizing a unique partial encryption approach that allows the threat actor to choose a specific percentage of data to encrypt. This tactic helps evade detection and speeds up the ransomware operations.
Phishing emails are the primary method for initial access, along with the use of Remote Desktop Protocol (RDP), vulnerabilities in web applications, and the services of initial access brokers (IABs). After gaining access, the gang disables antivirus software, conducts data exfiltration, and extorts its victims before encrypting their data. Failure to pay results in data being published on a dark web leak site.
BlackSuit has demanded over $500 million in total payouts, with ransoms ranging from $1 million to $10 million. The gang is known for pressuring victims through phone calls, emails, and threats of exposing corporate wrongdoing. Businesses are advised to be prepared for aggressive tactics and to work closely with crisis management and incident response teams to limit damage to reputation and consumer trust. CISA provides further information on BlackSuit and updated indicators of compromise (IoCs).