Jump to content
  • Sign Up
×
×
  • Create New...

Royal ransomware crew puts on a BlackSuit in rebrand

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

Royal ransomware crew puts on a BlackSuit in rebrand

The cyber ********* ransomware gang that previously operated as Royal has rebranded and relaunched as BlackSuit, and is actively targeting organisations across multiple sectors with significant extortion demands, according to

This is the hidden content, please
(CISA) under the auspices of its ongoing #StopRansomware campaign.

Likely descended from the defunct Conti operation and bearing potential links to other crews such as ****** Basta and Hive, Royal was in action for a ******* of approximately nine months between the autumn of 2022 and summer of 2023, and in that timeframe conducted a series of damaging attacks.

Its reemergence 12 months on as BlackSuit has been tracked by both CISA and the FBI, which have judged from several known cyber attacks that its ransomware locker shares significant coding similarities to Royal’s, and also demonstrates “improved capabilities”.

Among these, said CISA: “BlackSuit uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt.”

In this way, it can lower the encryption percentage for larger files, which helps the gang evade detection, and significantly improves the speed at which the ransomware itself can operate.

As with other gangs, phishing emails are most frequently used to obtain initial access – although BlackSuit is also known to use Remote Desktop Protocol (RDP), vulnerabilities in public-facing web applications, and the services of initial access brokers (IABs).

After gaining access, its operatives also disable the victims’ antivirus software prior to going to work. BlackSuit conducts data exfiltration activities and extorts its victim prior to encrypting their data, which is later published to a dark web ***** site if payment is not received.

CISA said the gang has collectively demanded over $500m (£393.4m) in payoffs, with typical ransoms ranging from $1m at the lower end of the scale up to around $10m, although at least one demand of $60m is known to have been made.

The gang is notable for not making a ransom demand at the point of its initial *******; victims must rather interact directly with its negotiators through a Tor Onion URL, which is delivered after data encryption. BlackSuit is also known to have attempted to use phone calls and emails to pressure its victims.

Martin Kraemer, security awareness advocate at 

This is the hidden content, please
, said: “The group responsible for the BlackSuit ransomware is known for using aggressive tactics to extort money. They are not afraid to threaten businesses with exposing corporate wrongdoing, intimidate the relatives of employees and leaders, or blackmail employees by revealing ******** activities.

“These tactics are designed to keep a business under their control. The more harm they cause to a company’s reputation, the more likely the victim is to pay. This is their strategy.

“We are close to a scenario where ransomware groups work closely with providers of disinformation services. On the dark web, one can arrange campaigns to ******** someone’s personal reputation or manipulate stock prices. The cost of such campaigns is much lower compared to a potential ransom payment.

 “Organisations need to be ready. Crisis management and incident response teams must collaborate closely with the PR department to ensure the right level of transparency and limit the damage to employee and consumer trust. With targeted disinformation becoming a factor, PR departments must also be prepared to anticipate and manage narratives that could significantly harm the company. Whether it’s alleged negligence or misconduct, PR departments need to have prepared responses.”

More information on BlackSuit, including updated indicators of compromise (IoCs),

This is the hidden content, please
.



This is the hidden content, please

#Royal #ransomware #crew #puts #BlackSuit #rebrand

This is the hidden content, please

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept