Blacksuit

Malware updated a month ago (2024-11-29T14:12:50.613Z)
Download STIX
Preview STIX
BlackSuit is a new strain of malware, specifically ransomware, that has been causing significant damage to computer systems. It is believed to be a rebranding of the Royal ransomware gang, as indicated by similarities in code between the two. This suspicion was confirmed by warnings from both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The rebranded BlackSuit ransomware first appeared in various reports and analyses, including those from Recorded Future, Arete Incident Response, and ReliaQuest Threat Research Team. The malicious software infiltrates systems through HTTP/S, encrypting files and leaving a ransom note for victims. Specific queries have been developed to identify the presence of this malware, looking for known names of BlackSuit's ransom notes and encrypted files. Once inside a system, BlackSuit uses Rclone, a legitimate tool often used for data exfiltration by penetration testing teams, to extract data from victim environments. Despite its legitimate uses, threat actors like BlackSuit have co-opted Rclone for nefarious purposes. In response to the rise of BlackSuit, multiple organizations, including HC3, CISA, and SafeBreach, have provided coverage and analysis of this threat. These entities aim to help businesses and individuals understand the nature of BlackSuit, how it operates, and how they can protect themselves from falling victim to this ransomware. The overall goal is to stop the spread of BlackSuit and other similar types of ransomware, protecting valuable data and maintaining the security of digital infrastructure.
Description last updated: 2024-11-21T10:27:26.360Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Royal Ransomware is a possible alias for Blacksuit. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could stea
10
Conti is a possible alias for Blacksuit. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona
8
Alphv is a possible alias for Blacksuit. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p
3
Blackbasta is a possible alias for Blacksuit. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnet
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Windows
Encryption
Phishing
Extortion
Malware
Antivirus
Payload
Linux
Data Leak
Loader
CISA
Vpn
Esxi
Health
Encrypt
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blacksuit Ransomware Malware is associated with Blacksuit. The BlackSuit ransomware, a malicious software variant designed to encrypt and ransom victims' files, emerged in May 2023 as a direct evolution of the Royal ransomware. The group behind this threat, known as Ignoble Scorpius, was identified by Unit 42 Threat Intelligence, which also observed an incrUnspecified
7
The Akira Malware is associated with Blacksuit. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
2
The Lockbit Malware is associated with Blacksuit. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
2
The malware Blacksuit (Royal) Ransomware is associated with Blacksuit. Unspecified
2
Source Document References
Information about the Blacksuit Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
9 days ago
Unit42
a month ago
Checkpoint
3 months ago
Securityaffairs
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
5 months ago
InfoSecurity-magazine
5 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago
CISA
5 months ago
DARKReading
a year ago
InfoSecurity-magazine
6 months ago
InfoSecurity-magazine
6 months ago
BankInfoSecurity
6 months ago
BankInfoSecurity
6 months ago
DARKReading
6 months ago
Checkpoint
6 months ago
DARKReading
7 months ago
DARKReading
7 months ago
BankInfoSecurity
8 months ago