Breaking Down the Real Meaning of an XDR Solution
Read More Transition from traditional security to a cyber resilient approach to defend your
Exclusive Webinar: Your NDR is not doing enough! Find out what you need to supercharge it!
Are you confident that your security tools are foolproof? Think again. BlackSuit ransomware is exploiting overlooked vulnerabilities, slipping through defenses even in 53 well-protected organizations. This isn’t just another cyber threat—it’s a sophisticated adversary that rewrites the rules.
Your firewalls, antivirus, and strict protocols might not be enough to stop it. BlackSuit is engineered to find gaps you didn’t know existed, bypassing even advanced security postures. Are you truly prepared for what’s coming?
BlackSuit ransomware is a type of malware variant designed to encrypt victim system files, rendering critical data breach. The attackers then demand a ransom in exchange for the decryption key, while some threat actors deploy a double extortion model, with ransomware threats of releasing the stolen data to the public if their demands are not met. The ransomware targets mainly critical sectors: Healthcare, Government, Manufacturing, Education, and Finance, which has disastrous results in each of the sectors where disruptions have occurred.
BlackSuit is believed to be a rebrand of the Royal blacksuit ransomware gang. Rebranding keeps ransomware groups out of the scrutiny of law enforcement agencies and their identity hidden. It also allows them to continue most of their malicious activities without being recognized by cybersecurity defenses so easily.
The rebrand to BlackSuit hints at business as usual from the Royal group, for which readaptation of cybersecurity through updates in threat intelligence and monitoring for new indicators of compromise is required.
The Royal ransomware group, operating now as BlackSuit, continued to target healthcare organizations. This ransomware attack encrypted an entire network of a hospital, which had to divert emergency patients to other facilities.
BlackSuit ransomware, while similar to other examples of ransomware variants in its primary function of encrypting files and demanding a ransom, exhibits several unique characteristics that set it apart:
Function | Blacksuit Ransomware | Other Variants |
---|---|---|
1. Intermittent Encryption | Encrypts files in stages, only encrypting a portion at a time. | Often encrypt files in a continuous manner. |
2. Partial Encryption | Encrypts only a part of each file, not the entire content. | Typically encrypt the entire file. |
3. Dual-Platform Targeting | Infects both Windows and Linux systems. | Primarily target Windows or Linux systems. |
4. Similarities to Royal Ransomware | Closely related to the Royal ransomware family. | May have different familial ties or be completely unrelated. |
5. Evasion Techniques | Employs techniques like intermittent and partial encryption to avoid detection. | May use different evasion tactics, such as obfuscation or encryption of malicious code. |
6. Ransom Negotiation | May offer discounts or extended payment deadlines. | May have different negotiation strategies or terms. |
7. Exfiltration of Data | May exfiltrate sensitive data in addition to encrypting files. | May or may not exfiltrate data. |
Let’s see what you need to know about this strain to prevent cyber attackers from gaining access to your critical infrastructure.
Here’s a breakdown of how BlackSuit ransomware operates:
BlackSuit ransomware spreads through your several channels such as email attachments carrying viruses, torrent sites, ads with malware, and Trojan horses.
The ransomware starts encrypting your files after it gets into your system. It uses FindFirstFileW() and FindNextFileW() API functions to list all the files and folders on the computer.
BlackSuit ransomware encrypts specific file types using a tough encryption method, like the Advanced Encryption Standard (AES). It changes the names of your encrypted files by adding ".blacksuit" at the end.
BlackSuit ransomware leaves a ransom note called "README.BlackSuit.txt" in every folder it goes through after encrypting your files. This note is how the attackers tell victims to pay money to get the decryption key.
BlackSuit ransomware also changes the infected computer's desktop background showing a message or picture about the ransomware attack.
You can't open or use the encrypted files without the decryption key. The attackers might say they'll share or sell the stolen data if they don't get paid.
Don’t Let Ransomware Lock You Down with our advanced solutions
If any of these examples of ransomware attack symptoms are felt or noticed, it is highly needed to act immediately by isolating the compromised system from further lateral movement onto your network. Some blacksuit ransomware iocs include:
In the past year, BlackSuit has claimed dozens of victims and has leaked stolen data from attacks against 53 organizations; leaks which may include sensitive personal and financial information that could lead to further harm both for the affected people and organizations.
Data Leak Consequences
Public disclosure of stolen information further coerces blacksuit ransomware victims to pay the ransom. This might be attributed to reputational damage, financial loss, and even legal and regulatory repercussions.
Of particular note, according to a recent report, an observed high for BlackSuit of about $18 million, with an average initial demand of about $2.5 million. The average ransom payment facilitated was around $500,000.
What Extortion Tactics Does BlackSuit Ransomware Use?
BlackSuit ransomware operates a multi-pronged extortion model: encrypting victim data, exfiltrating sensitive information of the victim, and hosting public data leak sites.
How Does Encryption Impact the Victims?
Encryption can render the data inaccessible, causing significant operational disruptions to the affected company. This results in considerable downtime, leading to massive losses. Victims are often compelled to pay the ransom in hopes of recovering critical data.
What Is the Role of Data Exfiltration in Their Strategy?
Data exfiltration involves stealing sensitive information from the victim systems. Later, this is used to further increase pressure by using stolen data to coerce the victims into paying the ransom.
How Do Public Data Leak Sites Contribute to Their Extortion Tactics?
They publish stolen information on open data leak sites if the victims do not agree to their demands on ransom. This public exposure could also be worse for the victims’ reputation and operations, further motivating them to pay the ransom.
Case Study:
In April 2024, a BlackSuit ransomware attack was detected, which started by performing Kerberoasting. This was a kind of post-exploitation attack technique intended to capture a password hash of an Active Directory account that possesses a Service Principal Name (“SPN”) within the environment contributed by a customer. The attack thus caused key systems to be encrypted and exfiltration of sensitive data. Poor asset inventory and poor endpoint visibility plagued the organization affected, and this has driven demands for better cybersecurity.
Here are some of the blacksuit ransomware best practices from infecting your systems:
Here’s how to fortify your remote desktop protocol rdp against BlackSuit ransomware attacks:
Fidelis Security provides a full set of tools to shield against many types of ransomware threats. By zeroing in on early detection quick action, and control, Fidelis tools help protect your network setup and devices from new attacks.
Fidelis’ NDR solution gives a clear view of your network as it happens spotting odd behaviors that often go hand in hand with ransomware acts.
Fidelis’ EDR solution keeps an eye on devices non-stop cutting off ransomware-infected machines and stopping it from spreading.
Helps box in ransomware within your network keeping it in certain areas to cut down on damage.
Uses machine learning and behavior analysis to spot encryption tries and warn you about ransomware threats before they get worse.
Srestha is a cybersecurity expert and passionate writer with a keen eye for detail and a knack for simplifying intricate concepts. She crafts engaging content and her ability to bridge the gap between technical expertise and accessible language makes her a valuable asset in the cybersecurity community. Srestha's dedication to staying informed about the latest trends and innovations ensures that her writing is always current and relevant.
See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.