Blacksuit

Malware updated 3 hours ago (2024-11-21T10:30:45.595Z)
Download STIX
Preview STIX
BlackSuit is a new strain of malware, specifically ransomware, that has been causing significant damage to computer systems. It is believed to be a rebranding of the Royal ransomware gang, as indicated by similarities in code between the two. This suspicion was confirmed by warnings from both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The rebranded BlackSuit ransomware first appeared in various reports and analyses, including those from Recorded Future, Arete Incident Response, and ReliaQuest Threat Research Team. The malicious software infiltrates systems through HTTP/S, encrypting files and leaving a ransom note for victims. Specific queries have been developed to identify the presence of this malware, looking for known names of BlackSuit's ransom notes and encrypted files. Once inside a system, BlackSuit uses Rclone, a legitimate tool often used for data exfiltration by penetration testing teams, to extract data from victim environments. Despite its legitimate uses, threat actors like BlackSuit have co-opted Rclone for nefarious purposes. In response to the rise of BlackSuit, multiple organizations, including HC3, CISA, and SafeBreach, have provided coverage and analysis of this threat. These entities aim to help businesses and individuals understand the nature of BlackSuit, how it operates, and how they can protect themselves from falling victim to this ransomware. The overall goal is to stop the spread of BlackSuit and other similar types of ransomware, protecting valuable data and maintaining the security of digital infrastructure.
Description last updated: 2024-11-21T10:27:26.360Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Royal Ransomware is a possible alias for Blacksuit. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could stea
10
Conti is a possible alias for Blacksuit. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra
8
Alphv is a possible alias for Blacksuit. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB
3
Blackbasta is a possible alias for Blacksuit. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Windows
Encryption
Phishing
Extortion
Malware
Antivirus
Payload
Linux
Data Leak
Loader
CISA
Vpn
Esxi
Health
Encrypt
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blacksuit Ransomware Malware is associated with Blacksuit. The BlackSuit ransomware, a malicious software variant designed to encrypt and ransom victims' files, emerged in May 2023 as a direct evolution of the Royal ransomware. The group behind this threat, known as Ignoble Scorpius, was identified by Unit 42 Threat Intelligence, which also observed an incrUnspecified
7
The Akira Malware is associated with Blacksuit. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
2
The Lockbit Malware is associated with Blacksuit. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
2
The malware Blacksuit (Royal) Ransomware is associated with Blacksuit. Unspecified
2
Source Document References
Information about the Blacksuit Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
5 hours ago
Checkpoint
2 months ago
Securityaffairs
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
InfoSecurity-magazine
3 months ago
Securityaffairs
3 months ago
CISA
3 months ago
DARKReading
a year ago
InfoSecurity-magazine
4 months ago
InfoSecurity-magazine
4 months ago
BankInfoSecurity
5 months ago
BankInfoSecurity
5 months ago
DARKReading
5 months ago
Checkpoint
5 months ago
DARKReading
6 months ago
DARKReading
6 months ago
BankInfoSecurity
7 months ago
Checkpoint
7 months ago