Blacksuit

Malware updated a year ago (2024-11-29T14:12:50.613Z)

Download STIX

Preview STIX

BlackSuit is a new strain of malware, specifically ransomware, that has been causing significant damage to computer systems. It is believed to be a rebranding of the Royal ransomware gang, as indicated by similarities in code between the two. This suspicion was confirmed by warnings from both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The rebranded BlackSuit ransomware first appeared in various reports and analyses, including those from Recorded Future, Arete Incident Response, and ReliaQuest Threat Research Team. The malicious software infiltrates systems through HTTP/S, encrypting files and leaving a ransom note for victims. Specific queries have been developed to identify the presence of this malware, looking for known names of BlackSuit's ransom notes and encrypted files. Once inside a system, BlackSuit uses Rclone, a legitimate tool often used for data exfiltration by penetration testing teams, to extract data from victim environments. Despite its legitimate uses, threat actors like BlackSuit have co-opted Rclone for nefarious purposes. In response to the rise of BlackSuit, multiple organizations, including HC3, CISA, and SafeBreach, have provided coverage and analysis of this threat. These entities aim to help businesses and individuals understand the nature of BlackSuit, how it operates, and how they can protect themselves from falling victim to this ransomware. The overall goal is to stop the spread of BlackSuit and other similar types of ransomware, protecting valuable data and maintaining the security of digital infrastructure.

Description last updated: 2024-11-21T10:27:26.360Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Royal Ransomware is a possible alias for Blacksuit. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could stea	10
Conti is a possible alias for Blacksuit. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona	8
Blackbasta is a possible alias for Blacksuit. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnet	3
Alphv is a possible alias for Blacksuit. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Windows

Encryption

Malware

Extortion

Data Leak

Phishing

Payload

Encrypt

RaaS

Linux

Antivirus

Loader

CISA

Cybercrime

Bitcoin

Exploit

Esxi

Vpn

Health

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Blacksuit Ransomware Malware is associated with Blacksuit. The BlackSuit ransomware, a malicious software variant designed to encrypt and ransom victims' files, emerged in May 2023 as a direct evolution of the Royal ransomware. The group behind this threat, known as Ignoble Scorpius, was identified by Unit 42 Threat Intelligence, which also observed an incr	Unspecified	7
The Lockbit Malware is associated with Blacksuit. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	4
The malware Blacksuit (Royal) Ransomware is associated with Blacksuit.	Unspecified	3
The Akira Malware is associated with Blacksuit. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The BianLian Threat Actor is associated with Blacksuit. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory	Unspecified	2

Source Document References

Information about the Blacksuit Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	5 days ago	Coordinated sanctions hit Russian bulletproof hosting providers enabling top ransomware Ops
InfoSecurity-magazine	6 days ago	UK, US and Australia Sanction Russian Bulletproof Hoster Media Land
Checkpoint	12 days ago	The State of Ransomware – Q3 2025 - Check Point Research
InfoSecurity-magazine	3 months ago	US Authorities Seize $1m from BlackSuit Ransomware Group
Securityaffairs	4 months ago	FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms
Securityaffairs	4 months ago	Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
InfoSecurity-magazine	4 months ago	BlackSuit Ransomware Group’s Dark Web Sites Seized
CrowdStrike	5 months ago	Healthcare Industry Observations from CrowdStrike Investigations
InfoSecurity-magazine	a year ago	Ransomware Attackers Target Industries with Low Downtime Tolerance
Unit42	a year ago	Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
Checkpoint	a year ago	16th September – Threat Intelligence Report - Check Point Research
Securityaffairs	a year ago	Young Consulting data breach impacts 954,177 individuals
BankInfoSecurity	a year ago	Ransomware Hackers Steal Medical Insurance Data of 1M People
Securityaffairs	a year ago	Security Affairs newsletter Round 484 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	a year ago	Threat Actors Favor Rclone, WinSCP and cURL as Data Exfiltration Tools
InfoSecurity-magazine	a year ago	BlackSuit/Royal Ransomware Group Has Demanded $500m
Securityaffairs	a year ago	FBI and CISA update a joint advisory on the BlackSuit Ransomware group
CISA	a year ago	Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory \| CISA
DARKReading	2 years ago	Feds Snarl ALPHV/BlackCat Ransomware Operation
InfoSecurity-magazine	a year ago	Indiana County Files Disaster Declaration Following Ransomware Attack