Blacksuit

Malware updated a month ago (2024-09-16T14:17:44.194Z)

Download STIX

Preview STIX

BlackSuit is a malicious software (malware) that has been causing significant harm in the digital world. It infiltrates systems through dubious downloads, emails, or websites, and once inside, it can steal personal data, disrupt operations, or hold data hostage for ransom. BlackSuit malware, which is a form of ransomware, has been linked to the Royal ransomware gang, indicating a possible rebranding from Royal to BlackSuit. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued warnings about this threat, noting that BlackSuit shares numerous coding similarities with Royal ransomware but exhibits improved capabilities. This new version of ransomware has been active since approximately June 2023, following the end of the Royal ransomware's activity in September 2022. Several high-profile attacks have been attributed to BlackSuit, including breaches at Charles Darwin School, Young Consulting, and Kadokawa, a Japanese media company. In these instances, sensitive data such as student information, company contracts, employee details, and personal information of over 950,000 individuals were compromised. The modus operandi of the BlackSuit actors typically involves disabling antivirus software, exfiltrating large amounts of data, and then deploying the ransomware to encrypt the systems. If the demanded ransom is not paid, the stolen data is published on a leak site. The BlackSuit ransomware group primarily uses phishing emails as an initial access vector. Once they gain access to the victims' networks, they disable antivirus software and exfiltrate large volumes of data before ultimately deploying the ransomware and encrypting the systems. The group engages in data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Given the increasing frequency and severity of these attacks, businesses and individuals are advised to exercise caution when opening emails, downloading files, or visiting websites, especially those that appear suspicious.

Description last updated: 2024-09-16T14:16:34.456Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Royal Ransomware is a possible alias for Blacksuit. The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious	10
Conti is a possible alias for Blacksuit. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	7
Blackbasta is a possible alias for Blacksuit. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	3
Alphv is a possible alias for Blacksuit. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Windows

Extortion

Phishing

Encryption

Linux

Malware

Antivirus

Esxi

Payload

Loader

CISA

Vpn

Data Leak

Health

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Blacksuit Ransomware Malware is associated with Blacksuit. The BlackSuit ransomware is a malicious software designed to exploit and damage computer systems, often holding data hostage for ransom. Introduced in May 2023, it is a continuation or new version of the Royal ransomware operation, with the rebranding officially noted by the FBI and CISA in an advis	Unspecified	6
The Lockbit Malware is associated with Blacksuit. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operat	Unspecified	2
The Akira Malware is associated with Blacksuit. Akira is a notorious malware, specifically a ransomware, that has been active since April 2023. It utilizes dual extortion tactics to compromise various industries, as outlined in a technical analysis shared by cybersecurity researchers. The ransomware's modus operandi includes stealing sensitive da	Unspecified	2

Source Document References

Information about the Blacksuit Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	a month ago	16th September – Threat Intelligence Report - Check Point Research
Securityaffairs	2 months ago	Young Consulting data breach impacts 954,177 individuals
BankInfoSecurity	2 months ago	Ransomware Hackers Steal Medical Insurance Data of 1M People
Securityaffairs	2 months ago	Security Affairs newsletter Round 484 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	2 months ago	Threat Actors Favor Rclone, WinSCP and cURL as Data Exfiltration Tools
InfoSecurity-magazine	2 months ago	BlackSuit/Royal Ransomware Group Has Demanded $500m
Securityaffairs	2 months ago	FBI and CISA update a joint advisory on the BlackSuit Ransomware group
CISA	2 months ago	Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory \| CISA
DARKReading	10 months ago	Feds Snarl ALPHV/BlackCat Ransomware Operation
InfoSecurity-magazine	3 months ago	Indiana County Files Disaster Declaration Following Ransomware Attack
InfoSecurity-magazine	3 months ago	Ransomware Surges Annually Despite Law Enforcement Takedowns
BankInfoSecurity	3 months ago	Auto Dealers Plan July Fourth Comeback After CDK Cyberattack
BankInfoSecurity	4 months ago	CDK Begins Restoring Systems Amid Ransomware Payment Reports
DARKReading	4 months ago	CDK Attack Shows Value of SaaS Contingency Planning
Checkpoint	4 months ago	24th June – Threat Intelligence Report - Check Point Research
DARKReading	5 months ago	CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
DARKReading	5 months ago	BlackSuit Claims Dozens of Victims With Ransomware
BankInfoSecurity	6 months ago	Suspected Attack Shuts Down US Blood Plasma Donation Centers
Checkpoint	6 months ago	15th April – Threat Intelligence Report - Check Point Research
Securityaffairs	6 months ago	Group Health Cooperative data breach impacted 530K individuals