Feds Issue Warning About BlackSuit Ransomware as Ransom Demands Top $500M

BlackSuit ransomware

For the past two years, Royal ransomware has been one of the most prolific ransomware groups; however, in July 2023, Royal ransomware attacks ground to a halt following an attack on the City of Dallas. Ransomware groups often shut down their operations, rebrand, and continue their attacks under a different name using a new encryptor, and that appears to be the case with Royal, according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

In a recent updated cybersecurity advisory, CISA and the FBI confirmed that BlackSuit is the new name for the Royal ransomware group, with that determination made due to similarities between the BlackSuit and Royal encryptor code, and the emergence of the new group as Royal shut down. BlackSuit is a private ransomware group that does not use affiliates and is believed to include former members of the infamous Conti ransomware group. After splitting from Conti in early 2022, a new group was formed called Zeon, which used the encryptors of other ransomware groups before developing their own and rebranding as Royal in September 2022.

Royal was a highly capable and prolific ransomware group that rapidly became one of the most active ransomware groups, even overtaking LockBit in terms of attacks just a couple of months after rebranding as Royal. For the past two years, Royal has been one of the three most active ransomware groups and has conducted at least 350 attacks, including several attacks on healthcare organizations. In December 2023, the Health Sector Cybersecurity Coordination Center issued a sector alert about BlackSuit warning that the new group poses a credible threat to the healthcare and public health (HPH) sector.

BlackSuit is proving to be just as prolific as its predecessor and has already demanded ransoms totaling more than $500 million, and one of those attacks involved what is thought to be the largest ever ransom demand – $60 million – although the ransom demands are typically in the range of $1 to $10 million. According to CISA and the FBI, the group has shown a willingness to negotiate payments with victims. The group engages in double extortion tactics, stealing data and threatening to publish the stolen data on its leak site if the ransom is not paid. Victims must also pay to obtain the decryptors to recover their encrypted files.

CISA and the FBI have observed BlackSuit using a variety of methods for initial access, including Remote Desktop Protocol, exploiting vulnerable public-facing applications, and BlackSuit is also thought to use initial access brokers by harvesting virtual private network (VPN) credentials from stealer logs; however, the most successful method of initial access has been phishing emails, commonly using PDF files. The updated alert includes detailed information about the group, its tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and recommended mitigations for hardening defenses.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/