A new ransomware strain that was discovered in early May 2023 has shown a strong resemblance to Royal ransomware. This new strain BlackSuit, primarily targets Linux systems and Windows. Further analysis from cybersecurity company Trend Micro, shows that BlackSuit and Royal ransomware are almost identical in functions, blocks, and jumps.
BlackSuit operates using a double extortion method, which is a common strategy employed by many ransomware groups. The ransomware also employs OpenSSL’s AES encryption process. However, it also incorporates additional command-line arguments and avoids encrypting specific files with certain extensions during the encryption process. The emergence of BlackSuit and its similarities to Royal underscores the ever-evolving nature of the ransomware ecosystem.
There were speculations that the Royal ransomware group was planning to rebrand under a new name following pressure from law enforcement after targeting IT systems in the City of Dallas, Texas. In May, a new ransomware operation called BlackSuit was discovered, leading to belief that it was the rebranded version of Royal. However, a rebranding did not occur, and Royal is still actively conducting attacks while using BlackSuit in limited instances. Cybersecurity professional Yelisey Boguslavskiy, states that the Royal group consists of over 60 cybersecurity experts who were part of the original Conti group or recruited from other elite ransomware groups. They employ both Royal and BlackSuit ransomware. Boguslavskiy suggests that Royal may be testing BlackSuit as a new encryptor or BlackSuit may be a new subgroup of the Royal ransomware family.
While the specific use of BlackSuit remains to be seen, it has been observed in a small number of attacks. BleepingComputer has documented at least three attacks involving the BlackSuit encryptor, with ransoms currently below $1 million. The BlackSuit operation currently has one victim listed on their data leak site, but this could change at any given moment if the encryptor becomes more commonly used. It is advised that network defenders remain cautious as this new operation is linked to the expertise of the Royal group, known for breaching networks and deploying their encryptors. The true nature of BlackSuit, whether a failed experiment or the start of a new subgroup, remains to be seen.
If you are a victim of BlackSuit ransomware, call Alvaka immediately at (949) 428-5000 Ext. 1. We are available 24×7 and can get you started on the proper path to recovery!
Latest Ransomware Related Blogs
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.