The notorious Royal ransomware group has resurfaced under a new name: BlackSuit. Despite the rebranding, their operations remain as disruptive and dangerous as ever, with ongoing attacks targeting critical infrastructure and companies worldwide. BlackSuit is suspected of orchestrating the assault on CDK Global, which resulted in extensive disruptions at auto dealerships across the United States. This incident underscores the growing threat posed by this ransomware group, which has also targeted sectors such as healthcare, government, commercial facilities, and critical manufacturing.
The FBI and CISA have raised alarms about the increasingly aggressive tactics employed by BlackSuit. Victims now frequently receive direct emails or phone calls from these cybercriminals, notifying them of a security breach and issuing ransom demands. This strategy, designed to apply psychological pressure, is becoming more common among ransomware gangs.
In response to these escalating threats, CISA, in partnership with the FBI, has issued a detailed joint advisory on the BlackSuit ransomware group. The advisory covers the current tactics, techniques, and procedures (TTPs) used by BlackSuit and provides a historical perspective on the group’s operations. BlackSuit, identified as a rebranded version of the legacy Royal ransomware, continues to evolve, as evidenced by FBI investigations up until July 2024.
The advisory, first published in March 2023, has undergone several updates to reflect the evolving threat landscape. In November 2023, new TTPs and indicators of compromise (IOCs) associated with the Royal variant were added. Most recently, in August 2024, the advisory was revised to officially recognize the rebranding to BlackSuit and provide fresh intelligence on their tactics and detection methods.
BlackSuit typically gains initial access through phishing emails, which allow them to disable antivirus software and exfiltrate sensitive data before deploying ransomware to encrypt systems. This approach has proven highly effective, especially against organizations with weak defenses. In addition to phishing, BlackSuit exploits the Remote Desktop Protocol (RDP), vulnerable internet-facing applications, and purchases access through initial access brokers (IABs). Once inside a network, BlackSuit actors leverage legitimate remote monitoring and management (RMM) software, as well as tools like SystemBC and GootLoader malware, to maintain persistence and continue their attack undetected.
BlackSuit’s operations show marked improvements over its predecessor, Royal ransomware. While it retains several coding similarities with Royal, BlackSuit has significantly enhanced its methods, particularly in data exfiltration and extortion. Like many ransomware groups, BlackSuit exfiltrates data before encrypting systems. If victims refuse to pay the ransom, they risk having their data published on a leak site.
Further complicating matters, BlackSuit actors utilize various tools to map and exploit victim networks. They have been observed using SharpShares and SoftPerfect NetWorx to enumerate networks, while credential-stealing tools like Mimikatz and password harvesters from Nirsoft are frequently found on compromised systems. Tools like PowerTool and GMER are used to kill system processes, ensuring their malware can operate without interference.
Since rebranding as BlackSuit, the group’s ransom demands have typically ranged from $1 to $10 million, usually requested in Bitcoin. Interestingly, the group has shown a willingness to negotiate payment amounts, perhaps indicating strategic flexibility in their operations. The joint advisory from CISA and the FBI estimates that BlackSuit-affiliated threat actors have demanded over $500 million in ransom payments since the rebrand, with the largest single ransom demand reaching $60 million.
BlackSuit's rebranding from Royal ransomware marks not just a name change, but an evolution in their tactics and capabilities. As they continue to target critical sectors, organizations must remain vigilant, strengthening their defenses against phishing and other initial access vectors. The joint advisory from CISA and the FBI serves as a crucial resource for understanding and mitigating the threat posed by BlackSuit. Staying informed and prepared is essential in the ongoing battle against this relentless ransomware menace.