Royal ransomware crew puts on a BlackSuit in rebrand

The cyber criminal ransomware gang that previously operated as Royal has rebranded and relaunched as BlackSuit, and is actively targeting organisations across multiple sectors with significant extortion demands, according to an alert from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) under the auspices of its ongoing #StopRansomware campaign.

Likely descended from the defunct Conti operation and bearing potential links to other crews such as Black Basta and Hive, Royal was in action for a period of approximately nine months between the autumn of 2022 and summer of 2023, and in that timeframe conducted a series of damaging attacks.

Its reemergence 12 months on as BlackSuit has been tracked by both CISA and the FBI, which have judged from several known cyber attacks that its ransomware locker shares significant coding similarities to Royal’s, and also demonstrates “improved capabilities”.

Among these, said CISA: “BlackSuit uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt.”

In this way, it can lower the encryption percentage for larger files, which helps the gang evade detection, and significantly improves the speed at which the ransomware itself can operate.

As with other gangs, phishing emails are most frequently used to obtain initial access – although BlackSuit is also known to use Remote Desktop Protocol (RDP), vulnerabilities in public-facing web applications, and the services of initial access brokers (IABs).

After gaining access, its operatives also disable the victims’ antivirus software prior to going to work. BlackSuit conducts data exfiltration activities and extorts its victim prior to encrypting their data, which is later published to a dark web leak site if payment is not received.

CISA said the gang has collectively demanded over $500m (£393.4m) in payoffs, with typical ransoms ranging from $1m at the lower end of the scale up to around $10m, although at least one demand of $60m is known to have been made.

The gang is notable for not making a ransom demand at the point of its initial attack; victims must rather interact directly with its negotiators through a Tor Onion URL, which is delivered after data encryption. BlackSuit is also known to have attempted to use phone calls and emails to pressure its victims.

Martin Kraemer, security awareness advocate at KnowBe4, said: “The group responsible for the BlackSuit ransomware is known for using aggressive tactics to extort money. They are not afraid to threaten businesses with exposing corporate wrongdoing, intimidate the relatives of employees and leaders, or blackmail employees by revealing illegal activities.

“These tactics are designed to keep a business under their control. The more harm they cause to a company’s reputation, the more likely the victim is to pay. This is their strategy.

“We are close to a scenario where ransomware groups work closely with providers of disinformation services. On the dark web, one can arrange campaigns to destroy someone’s personal reputation or manipulate stock prices. The cost of such campaigns is much lower compared to a potential ransom payment.

 “Organisations need to be ready. Crisis management and incident response teams must collaborate closely with the PR department to ensure the right level of transparency and limit the damage to employee and consumer trust. With targeted disinformation becoming a factor, PR departments must also be prepared to anticipate and manage narratives that could significantly harm the company. Whether it’s alleged negligence or misconduct, PR departments need to have prepared responses.”

More information on BlackSuit, including updated indicators of compromise (IoCs), is available from CISA.