Discover the similarities and connections between BlackSuit and Royal ransomware, shedding light on evolving cyber threats.

Continue reading
In early May 2023, the notorious Royal ransomware gang, already known as one of the most prominent ransomware families of 2022, made headlines once again. This time, their ransomware was used to target IT systems in Dallas, Texas.
In conjunction with these ongoing cyberattacks, a recently identified ransomware variant named BlackSuit has emerged, posing a threat to users of both Windows & Linux operating systems. This discovery was made by cybersecurity researchers on Twitter. What caught their attention was the connection between BlackSuit and Royal ransomware. In this Threatfeed we will thoroughly dissect the underlying nuances of BlackSuit and compare it to its predecessor, Royal ransomware.
Explore the intricacies of BlackSuit ransomware, including its encryption method and leak site specifics. Files encrypted by BlackSuit carry the ".blacksuit" extension, accompanied by a ransom note containing a victim ID and TOR chat site URL.

*BlackSuit ransom note (Trendmicro)*
To intensify the pressure, the operators maintain a data leak site, currently listing a solitary victim. Gain comprehensive insights into BlackSuit before diving into a comparative analysis with Royal ransomware.

*BlackSuit TOR website (Trendmicro)*
During the analysis, security researchers discovered that the Linux variant of BlackSuit, targeting Linux machines, shares a striking resemblance to the Linux variant of Royal ransomware. Using the BinDiff comparison tool, they found that both ransomware families exhibit a high degree of similarity. The comparison revealed that BlackSuit and Royal have 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps.

*Comparison of BlackSuit and Royal ransomware (Trendmicro)*
The observed similarities between BlackSuit & Royal ransomware indicate three possible scenarios: BlackSuit is either a new variant developed by the same authors as Royal, a copycat utilizing similar code, or an affiliate of the Royal ransomware group with modifications to the original family. This level of resemblance raises questions about their connection and origin.
In our analysis of BlackSuit ransomware, we discovered an x64 ESXi version that targets Linux machines. The BlackSuit Linux variant's YARA rules exhibited a striking match with samples of the Royal ransomware Linux variant, implying a significant correlation. In-depth analysis utilizing BinDiff, a binary file comparison tool, unveiled an exceptionally close resemblance between BlackSuit and Royal ransomware, indicating a strong connection between the two. The two variants share 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps, indicating that BlackSuit and Royal ransomware are nearly identical.
The table below outlines the comparison of arguments for the Linux versions of BlackSuit and Royal.
| Royal Argument | BlackSuit Argument | Description |
|---|---|---|
| -id {32-byte chars} | -name {32-byte chars} | Used as the victim's ID, appended to the TOR link in the ransom note. The process exits if the argument is not provided or if the characters do not have a length of 32 bytes. |
| -ep | -percent {0-100} | Used to define the encryption parameter. |
| -path {target path} | -p {target path} | Used to specify a target directory to encrypt. |
| -stopvm | -killvm | Used to terminate VM-linked processes via the EXSCLi command. |
| -vmonly | -allfiles |
*Table: Comparison of arguments for the Linux versions of BlackSuit and Royal.*
Further analysis revealed that BlackSuit employs command-line arguments similar to those used by Royal ransomware, although there are some differences. For example, BlackSuit introduces additional arguments not found in Royal, such as "-thrcount" to create a specified number of threads depending on the infected machine's processor count and "-skip" to skip specific folders listed in a text file.
Both the BlackSuit and Royal ransomware families exhibit similarities in their encryption methods and file targeting. They both avoid encrypting files with specific extensions and filenames, such as ".royal_u" and ".royal_w" for Royal ransomware, and ".blacksuit" and "README.BlackSuit.txt" for BlackSuit ransomware. However, BlackSuit also targets certain file extensions like ".vmem," ".vmdk," and ".vmx" if the "-allfiles" argument is not provided.
To optimize the encryption process, both ransomware variants utilize OpenSSL's AES encryption and employ intermittent encryption techniques. Before encrypting files, they adjust the file size to the nearest multiple of 16 and add 41 bytes, likely for encryption headers and metadata. BlackSuit calculates the number of bytes for intermittent encryption based on the file size and the encryption parameter provided. If the file size exceeds approximately 262KB, BlackSuit uses a value specified by the "-percent" argument; otherwise, it defaults to 100, following the same formula as the Linux version of Royal ransomware.
Following the preparation phase, both ransomware families proceed to encrypt the files using AES encryption. BlackSuit marks the encrypted files with the ".blacksuit" extension and deposits a ransom note in the affected directory, containing instructions for the victim and their unique ID.
In addition to analyzing the Linux variant, researchers have also examined a Windows 32-bit version of BlackSuit ransomware. The Windows variants of BlackSuit and Royal ransomware demonstrate significant similarities. BinDiff analysis reveals that the Windows 32-bit versions of BlackSuit and Royal exhibit a 93.2% similarity in functions, 99.3% in basic blocks, and 98.5% in jumps, indicating a strong correlation between the two ransomware families.
The Windows 32-bit variant of BlackSuit shares comparable command-line arguments with Royal ransomware, such as "-thr" to specify the number of threads and "-skip" to exclude specific directories. BlackSuit introduces its own unique arguments like "-mode" for encryption mode and "-start" to define the start directory for encryption.

*Comparison of BlackSuit & Royal ransomware (Trendmicro)*
Both BlackSuit and Royal ransomware employ similar techniques for file enumeration & encryption. They utilize OpenSSL's AES encryption algorithm and implement intermittent encryption to expedite the process. The rounding of file sizes and the addition of extra bytes for encryption headers and metadata are consistent across both variants.
After encrypting the files, BlackSuit appends the ".blacksuit" extension to the encrypted files and places a ransom note in the affected directory. This ransom note acts as a communication channel between attackers and victims, conveying instructions and the victim's unique ID. It serves as a crucial element in the interaction between the two parties involved.
While BlackSuit and Royal ransomware share distinct similarities, it is important to note that they are not identical. BlackSuit introduces modifications and additional functionalities that differentiate it from Royal ransomware, suggesting the involvement of either the same threat actors developing a new variant or the possibility of affiliates modifying the original ransomware code.
The Windows 32-bit version of BlackSuit ransomware demonstrates numerous resemblances to the Royal ransomware variant designed for Windows systems. Here are the key observations:
While BlackSuit & Royal ransomware exhibit striking similarities in terms of code, encryption techniques, command-line arguments, and targeted file types, it is important to note that they are distinct ransomware families.
However, these similarities suggest potential collaboration, shared resources, or the involvement of common threat actors behind both ransomware families.
The emergence of BlackSuit ransomware, closely related to the evolution & expansion of the notorious Royal ransomware operations. The similarities in code and functionality between BlackSuit and Royal suggest a shared origin, either from the same threat actors or affiliates with access to the Royal ransomware codebase.
Understanding the connections and similarities between different ransomware families is crucial for cybersecurity professionals and law enforcement agencies in their efforts to combat these threats effectively. By analyzing the techniques and patterns used by ransomware groups, security experts can develop mitigation strategies and assist organizations in protecting their systems and data from potential attacks.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation
| Encrypts all files. |
| -fork | -vmsyslog | Used to create fork processes and terminate watchdog timers. |
| -logs | -demonoff | Used to display terminal logs. |