Blacksuit
BlackSuit ransomware analysis: Royal's successor demanding $500M+ ransoms. Compr...
BlackSuit ransomware represents a sophisticated evolution in the ransomware landscape, emerging as the direct successor to Royal ransomware with enhanced capabilities and a more aggressive operational tempo. Since its emergence in May 2023, this threat actor—tracked by Unit 42 as "Ignoble Scorpius"—has demanded over $500 million in ransom payments, with individual demands reaching as high as $60 million. The group's technical sophistication, combined with its apparent ties to the defunct Conti ransomware operation, positions BlackSuit as one of the most significant ransomware threats currently active in the cyberthreat landscape.
## Executive Summary
BlackSuit ransomware emerged in May 2023 as a rebranding of Royal ransomware, which itself evolved from the notorious Conti cybercrime syndicate. The threat group has rapidly established itself as a major player in the ransomware ecosystem, compromising at least 93 organizations globally with a particular focus on critical infrastructure sectors including healthcare, education, and manufacturing.
The group's most notable success was the CDK Global attack in June 2024, which resulted in a reported $25 million ransom payment and disrupted approximately 15,000 automotive dealerships across North America.
The ransomware employs advanced tactics, including partial encryption techniques, double extortion methods, and sophisticated evasion capabilities that set it apart from its predecessors. BlackSuit actors demonstrate extensive technical expertise through their use of legitimate tools, custom malware, and complex attack chains that can remain in victim networks for extended periods before deploying the ransomware payload.
## Historical Context and Attribution
### Evolutionary Timeline
BlackSuit's origins trace back to the Conti ransomware-as-a-service (RaaS) operation, one of the most prolific and destructive ransomware groups in history. The evolutionary path follows a clear progression: Conti operated from approximately 2020 through early 2022, when internal conflicts and international pressure led to its fragmentation. Several successor groups emerged from Conti's dissolution, with one faction initially operating under the "Quantum" moniker before rebranding as "Royal" in September 2022.
Royal ransomware operated for approximately nine months between September 2022 and June 2023, during which time it attacked over 350 victims and demanded more than $275 million in ransom payments. The group's final major operation under the Royal brand was the attack on Dallas, Texas in May 2023, after which they began testing new encryption tools branded as "BlackSuit".
By August 2024, both the FBI and CISA officially confirmed that BlackSuit represents the evolution of Royal ransomware, sharing numerous coding similarities while demonstrating improved capabilities.
### Attribution and Geographic Nexus
Intelligence assessments indicate that BlackSuit operates as a private ransomware group without public affiliates, distinguishing it from traditional RaaS models. The group demonstrates characteristics consistent with Russian or Eastern European cybercriminal operations, including the avoidance of targets in Commonwealth of Independent States (CIS) countries and operational patterns similar to other Russian-affiliated ransomware groups.
Unit 42 researchers track the group under the codename _"Ignoble Scorpius,"_ noting that the collective likely includes experienced members from both Conti and Royal operations. This continuity of personnel explains the group's sophisticated operational security, advanced technical capabilities, and efficient attack methodologies that have enabled rapid scaling of operations since the May 2023 rebrand.
## Technical Analysis and Capabilities
### Malware Architecture and Encryption Mechanisms
BlackSuit ransomware represents a significant technical advancement over its predecessors, implementing several innovative features designed to maximize encryption speed while evading detection. The malware supports both Windows and Linux operating systems, with specialized variants targeting VMware ESXi environments—a capability that allows threat actors to encrypt entire virtualized infrastructures rapidly.
The ransomware's most distinctive technical feature is its partial encryption approach, which allows operators to specify the percentage of data within each file to encrypt.
This technique serves multiple purposes: it significantly accelerates the encryption process, reduces system resource consumption that might trigger security alerts, and still renders files completely unusable while requiring less time to complete the attack.
For larger files, BlackSuit may encrypt only 10-20% of the content, while smaller files might be fully encrypted.
The encryption implementation utilizes the Advanced Encryption Standard (AES) algorithm through [OpenSSL](https://www.secureblink.com/cyber-security-news/openssl-fixes-critical-dos-flaws) libraries, ensuring cryptographically strong encryption that is practically unbreakable without access to the decryption key.
The AES encryption keys are themselves encrypted using RSA public-key cryptography, with the private keys maintained exclusively by the threat actors.
This dual-layer approach ensures that even if security researchers obtain the encrypted files and study the ransomware binary, decryption remains impossible without the attackers' cooperation.
### Command Line Arguments and Execution Parameters
BlackSuit ransomware requires specific command-line arguments to execute, a design choice that prevents accidental or automated execution during security analysis. The mandatory parameters include:
- **--id [32-byte identifier]**: A unique identifier for each victim that corresponds to entries in the ransom note and communication URLs
- **-size**: Utilized when the ransomware is invoked through drag-and-drop operations
- **-ep [percentage]**: Specifies the percentage of each file to encrypt, enabling the partial encryption functionality
- **-path [directory]**: Targets a specific directory or drive for encryption
- **-localonly**: Restricts encryption to local drives only
- **-networkonly**: Targets only network-mounted drives and shared volumes
- **-aavm**: Encrypts all accessible files without restrictions
### System Impact and Recovery Inhibition
Prior to initiating encryption, BlackSuit implements several measures designed to maximize impact and prevent recovery. The ransomware uses Windows Restart Manager APIs to identify files currently in use by applications and terminates the associated processes to ensure complete encryption coverage.
It systematically deletes Volume Shadow Copies using the `vssadmin.exe` utility, preventing victims from recovering files through Windows' built-in restoration features.
The malware creates a distinctive mutex during execution ( `WLm87eV1oNRx6P3E4Cy9`) to prevent multiple instances from running simultaneously, and it maintains extensive whitelists of critical system files and directories to avoid rendering the infected system completely inoperable.
This approach ensures that victims can still access their computers to view ransom demands and potentially negotiate payment.
## Tactics, Techniques, and Procedures (TTPs)
### Initial Access Vectors
BlackSuit actors employ a diversified approach to initial access, with phishing campaigns representing the most common attack vector.
These campaigns typically involve sophisticated social engineering techniques, including business email compromise scenarios where attackers impersonate executives or trusted vendors.
The phishing emails often contain malicious PDF attachments or links that redirect victims to compromised websites hosting exploit kits or malware droppers.
Remote Desktop Protocol (RDP) compromise represents the second most common initial access method, accounting for approximately 13.3% of observed incidents.
Threat actors acquire RDP credentials through various means, including brute-force attacks against exposed systems, purchasing access from initial access brokers, or harvesting credentials from information-stealing malware campaigns. The group has also been observed exploiting vulnerabilities in public-facing applications, particularly in cases where organizations fail to apply security patches promptly.
### Command and Control Infrastructure
BlackSuit operations demonstrate advanced command and control (C2) capabilities that have significantly evolved from the group's Royal ransomware origins.
The primary C2 framework used is Cobalt Strike, which offers extensive post-exploitation features, including credential harvesting, lateral movement, and maintaining persistent access.
In documented cases, threat actors have been observed routing initial C2 traffic through [Cloudflare](https://www.secureblink.com/cyber-security-news/cloudflare-launches-open-e2-e-video-chat-hackers-can-t-touch) infrastructure to obscure the true location of their command servers.
The threat actors supplement Cobalt Strike with SystemBC, a proxy and backdoor tool that enables additional C2 channels and facilitates traffic proxying from external systems into the victim's network.
SystemBC deployments typically involve manual installation via SMB shares, with persistence established through Windows Registry Run keys that ensure the backdoor activates with user sessions. The group also maintains redundant communication channels using legitimate tools including SSH clients, PuTTY, [OpenSSH](https://www.secureblink.com/cyber-security-news/new-regre-ss-hion-critical-open-ssh-vulnerability-allows-root-access-on-linux), and MobaXterm for encrypted communications.
### Credential Access & Privilege Escalation
BlackSuit actors demonstrate extensive expertise in credential harvesting and privilege escalation techniques that enable rapid network compromise. The group routinely deploys Mimikatz, the widely-used credential dumping tool, to extract plaintext passwords, NTLM hashes, and Kerberos tickets from system memory. They supplement this with NanoDump, a specialized tool for creating memory dumps of the Local Security Authority Subsystem Service (LSASS) process without triggering many security products.
In Active Directory environments, threat actors employ sophisticated attacks, including DCSync operations that enable them to request password hashes for any domain account, thereby compromising the entire domain. They extract the NTDS.dit file using the ntdsutil utility, providing offline access to all domain credentials.
The group also utilizes Rubeus for Kerberos-based attacks, including AS-REP roasting and Kerberoasting techniques to crack service account passwords.
### Lateral Movement and Network Propagation
Once initial access is established, BlackSuit actors move systematically through victim networks using a combination of legitimate administrative tools and custom malware. Remote Desktop Protocol serves as the primary lateral movement mechanism, with threat actors using compromised administrative credentials to access additional systems throughout the network.
They supplement RDP access with PsExec deployments that enable remote command execution and file transfer capabilities.
The group demonstrates particular expertise in manipulating Group Policy Objects (GPOs) to facilitate network-wide changes, including the disabling of security software across entire domains. They maintain detailed network maps using tools such as SharpShares for enumerating network shares and SoftPerfect NetWorx for bandwidth monitoring and network reconnaissance.
ADFind offers comprehensive Active Directory enumeration capabilities, enabling threat actors to identify high-value targets and comprehend the network architecture before deploying ransomware payloads.
## Victim Targeting and Industry Analysis
### Sector Distribution and Geographic Focus
BlackSuit ransomware operations demonstrate a broad targeting approach across multiple industry sectors, with a hefty emphasis on critical infrastructure and high-value targets.
Educational institutions constitute the largest victim category, representing 13.9% of confirmed attacks, followed closely by the construction sector (12.5%) and manufacturing (11.1%). This targeting pattern likely reflects both the sector's relative vulnerability to cyberattacks and the potential for significant operational disruptions that increase the likelihood of ransom payments.
**Industry targeting distribution of BlackSuit ransomware showing education, construction, and manufacturing as primary targets**
Healthcare organizations represent 8.3% of BlackSuit victims, continuing a troubling trend of ransomware groups targeting medical facilities despite potential life-safety implications.
Government entities and non-profit organizations each account for 5.6% of attacks, while technology, transportation, and logistics sectors show similar victimization rates.
The remaining 22.2% of victims span various other industries, demonstrating the group's opportunistic approach to target selection.
Geographically, BlackSuit operations show a strong focus on United States-based organizations, with the majority of confirmed victims located in North America.
This geographic concentration likely reflects both the prevalence of high-value targets in the U.S. market and the group's apparent exemption of Commonwealth of Independent States countries from targeting—a characteristic common among Russian-affiliated cybercrime groups.
### Financial Impact and Ransom Economics
BlackSuit's financial impact on victim organizations extends far beyond direct ransom payments, encompassing operational disruption, data recovery costs, regulatory penalties, and long-term reputational damage.
Unit 42 research indicates that the group's initial ransom demands typically equal approximately 1.6% of the victim organization's annual revenue, with the median victim generating roughly $19.5 million in yearly revenue.
This targeting strategy suggests sophisticated pre-attack reconnaissance to identify financially viable targets capable of paying substantial ransoms.
Individual ransom demands have ranged from approximately $1 million to $60 million, with the majority falling between $1-$10 million.
The CDK Global incident represents the largest confirmed payment, with reports indicating a $25 million Bitcoin transfer to resolve the attack.
Arete Incident Response data shows significant variation in actual payments compared to initial demands, with their engagements averaging $2.5 million in initial demands. Still, only $500,000 in actual payments, suggesting successful negotiation strategies can substantially reduce final costs.
## Notable Incidents and Case Studies
### CDK Global Attack: Critical Infrastructure Impact
The June 2024 attack on CDK Global represents BlackSuit's most significant and publicly visible operation to date. CDK Global provides dealer management systems, customer relationship management tools, and financing platforms to approximately 15,000 automotive dealerships across North America.
The attack began on June 18, 2024, and resulted in a complete shutdown of CDK's systems, forcing dealerships nationwide to revert to manual, paper-based operations.
The attack's impact cascaded throughout the automotive industry, with major dealership chains including Lithia Motors, Group 1 Automotive, Penske Automotive, and Sonic Automotive reporting significant operational disruptions.
Industry analysts estimated that the outage could result in approximately 100,000 fewer vehicle sales in June 2024, representing a decrease of more than 7% compared to the same period in 2023.
The attack also disrupted parts ordering, service scheduling, and customer financing operations across the affected dealerships.
CDK Global's response included a systematic, phased restoration approach, beginning with smaller dealership groups on June 22 and gradually expanding coverage throughout the following weeks. The company reportedly paid a $25 million ransom in Bitcoin to BlackSuit operators, though this payment was not publicly confirmed.
Full-service restoration was completed by July 4, 2024, nearly three weeks after the initial incident.
### Connexure of Healthcare Data Exposure
In April 2024, BlackSuit successfully compromised Connexure (formerly Young Consulting), an Atlanta-based software company serving the healthcare and insurance industries. The attack resulted in the exposure of sensitive personal information belonging to approximately 950,000 individuals, making it one of the most significant healthcare-related data breaches attributed to BlackSuit.
The compromised data included Social Security numbers, full names, dates of birth, insurance claim details, financial reports, medical records, employee passport numbers, family information, contracts, and business agreements. Despite negotiations between Connexure management and BlackSuit operators, no agreement was reached regarding ransom payment. In August 2024, BlackSuit began releasing portions of the stolen data on their leak site, following through on their extortion threats.
Connexure's response included offering free credit monitoring services to affected individuals through Cyberscout, which will be available through November 2024. The company also reported the incident to law enforcement agencies and initiated efforts to restore encrypted data from backup systems.
This case demonstrates BlackSuit's commitment to its double extortion model, where data publication serves as both a punishment for non-payment and an advertisement of its capabilities to potential future victims.
## Infrastructure and Operations Analysis
### Command and Control Architecture
BlackSuit operations utilize a sophisticated, multi-layered command and control infrastructure designed to maintain persistent access while evading detection and disruption efforts. The primary C2 framework relies on Cobalt Strike beacons, which provide comprehensive post-exploitation capabilities, including file transfer, command execution, and credential harvesting.
Threat actors have been observed routing C2 traffic through CloudFlare services initially, before transitioning to Amazon Web Services infrastructure mid-intrusion to avoid potential disruption.
The group maintains redundant communication channels through SystemBC deployments, which serve as both backup C2 infrastructure and SOCKS proxies for routing additional tools and malware. SystemBC configurations are typically stored in plaintext within the compiled executables, allowing security researchers to extract C2 server information and listening ports during malware analysis. The persistence mechanisms for SystemBC include Windows Registry Run keys and scheduled tasks, which ensure automatic execution following system restarts.
### Data Exfiltration and Storage
BlackSuit actors employ a multi-stage approach to data exfiltration that maximizes both the volume of stolen data and the operational security of the theft process. Initial exfiltration typically routes through U.S.-based IP addresses, which are likely to blend in with legitimate traffic patterns and avoid triggering geographic-based security alerts. The group utilizes both custom malware and legitimate cloud storage services for data aggregation and transfer.
RClone, a legitimate cloud storage synchronization tool, serves as the primary exfiltration mechanism, often renamed to evade security products (such as "svchost.exe"). The group also leverages Ursnif/Gozi banking malware variants for data collection and staging, demonstrating their ability to repurpose existing malware tools for ransomware operations. Brute Ratel, a commercial penetration testing framework, provides additional exfiltration capabilities and has been observed in recent BlackSuit operations.
### Leak Site Operations and Victim Communication
BlackSuit maintains a professionally designed leak site accessible through Tor networks, where they publish victim information and stolen data to pressure non-paying organizations. The site features a dark theme with precise categorization of victims by industry and attack date, along with countdown timers indicating when additional data will be released. The group uses this platform both to intimidate victims and as a marketing tool to showcase their capabilities to potential future targets.
Communication with victims occurs through encrypted channels accessible via Tor browsers, with unique identifiers linking each victim to their specific communication portal. Recent operations have demonstrated an increase in direct communication attempts, including telephone calls and email contacts with victim organizations, indicating a shift from solely digital communication methods. These direct interactions often involve threats of data publication, regulatory notifications, and contact with business partners or customers if ransom demands are not fulfilled.
## Detection and Defensive Measures
### Indicators of Compromise (IOCs)
CISA's comprehensive advisory provides extensive indicators of compromise for BlackSuit operations, including over 90 unique IOCs spanning file hashes, IP addresses, domain names, and behavioral indicators. Critical file-based indicators include the ransomware's distinctive file extension (.blacksuit), ransom note filename (readme.BlackSuit.txt), and the unique mutex string (WLm87eV1oNRx6P3E4Cy9) created during execution.
Network-based indicators encompass command and control infrastructure associated with both historical Royal operations and current BlackSuit activities[8]. Recent IOCs include IP addresses such as 143.244.146.183:443 (SOCKS proxy), 45.141.87.218:9000 (SecTopRAT), and 89.251.22.32 (Cobalt Strike). Domain indicators include both direct C2 infrastructure and compromised websites used for initial payload delivery.
Behavioral indicators emphasize the group's unique operational patterns, including their use of partial encryption, specific command-line arguments, and integration with legitimate administrative tools. The CISA advisory features YARA rules specifically crafted to detect BlackSuit activity, focusing on characteristic strings, import functions, and code patterns that set BlackSuit apart from other ransomware families.
### YARA Detection Rules
The [FBI](https://www.secureblink.com/cyber-security-news/ransomware-targeting-casinos-via-3rd-party-gaming-vendors-fbi-warns) and [CISA](https://www.secureblink.com/cyber-security-news/cisa-warns-u-s-federal-agencies-to-secure-systems-against-actively-exploited-vulnerabilities-in-cisco-and-windows-systems-1) have released comprehensive YARA rules for detecting BlackSuit ransomware, incorporating both static analysis signatures and behavioral detection patterns.
The rules focus on several key characteristics: the presence of the "readme.BlackSuit.txt" string in both ASCII and wide character formats, RSA public key strings used for encryption key protection, and unusual debug strings specific to BlackSuit binaries.
Advanced detection rules target the ransomware's code obfuscation techniques, including functions that unscramble DLL import names to evade static analysis tools.
Additional signatures identify RSA function calls with specific parameter patterns and XOR decoder loops that BlackSuit uses for string decryption and anti-analysis purposes.
These rules have been validated against known BlackSuit samples and are regularly updated as new variants are discovered.
### Sigma Detection Rules and SIEM Integration
Security operations teams can leverage Sigma rules explicitly developed for BlackSuit detection, which are available through platforms such as SOC Prime's Threat Detection Marketplace.
These rules target various stages of the BlackSuit attack lifecycle, from initial access through ransomware deployment, and are compatible with over 30 SIEM, EDR, and data lake solutions.
Key Sigma rules focus on detecting SystemBC backdoor deployment, Cobalt Strike beacon execution, credential dumping activities using Mimikatz, and the characteristic PowerShell scripts employed by BlackSuit operators. Additional rules monitor for suspicious file encryption activities, shadow copy deletion events, and the creation of ransom notes in multiple directories. These behavioral detection capabilities are crucial for identifying BlackSuit operations before ransomware is deployed.
### Mitigation Strategies and Best Practices
CISA recommends a comprehensive defense-in-depth approach specifically tailored to counter BlackSuit's known attack vectors and techniques. Priority mitigation measures include implementing robust backup and recovery procedures with offline storage components that cannot be accessed from network-connected systems. Organizations should enforce multi-factor authentication for all administrative accounts and critical systems, with a particular focus on VPN access points and remote desktop services.
Network segmentation represents a critical defensive measure, as BlackSuit actors rely heavily on lateral movement to maximize their impact. Organizations should implement strict access controls based on the principle of least privilege, regularly audit administrative permissions, and deploy endpoint detection and response (EDR) solutions with behavioral analysis capabilities. Email security measures should include advanced threat protection, user training programs that focus on recognizing phishing, and policies that restrict the execution of macros in Office documents.
## Current Threat Landscape and Future Projections
### 2024-2025 Activity Trends
BlackSuit operations have demonstrated a significant escalation in both frequency and sophistication throughout 2024, with Unit 42 researchers documenting a notable ramp-up beginning in March 2024. The group has maintained consistent activity levels, with peak months showing up to 10 victim posts on their leak site.
This sustained operational tempo suggests that the group has established stable infrastructure, reliable revenue streams, and effective operational security practices, enabling continued operations despite law enforcement attention.
The broader ransomware landscape continues to show growth, with 2024 experiencing a 213% increase in total leak site posts compared to the first quarter of 2023, reaching 2,314 listed victims across all ransomware groups. Average ransom payments in Q3 2024 reached $479,237, with median costs of $200,000, indicating the continued financial viability of ransomware operations.
These trends suggest that BlackSuit and similar groups will continue expanding operations in response to demonstrated profitability.
Recent analysis suggests that BlackSuit has begun targeting organizations that withdrew their operations from Russia following the 2022 invasion of Ukraine, indicating potential geopolitical motivations beyond pure financial gain. This targeting pattern aligns with broader trends among Russian-affiliated ransomware groups and may indicate coordination with or tolerance from Russian state entities.
### Evolution of Tactics and Capabilities
BlackSuit's technical capabilities continue evolving, with recent samples showing enhanced obfuscation techniques and improved evasion capabilities]. The group has begun incorporating legitimate software masquerading, including false watermarking to appear as components of known antivirus products, such as Qihoo 360.
These anti-analysis improvements have significantly reduced detection rates for newer BlackSuit samples compared to earlier versions.
The group's operational security has also improved, with evidence of more sophisticated victim reconnaissance, targeted spear-phishing campaigns, and strategic timing of attacks to maximize impact. BlackSuit actors now commonly perform extensive pre-attack research to understand victim networks, backup procedures, and potential ransom payment capabilities before initiating compromise attempts.
Supply chain attacks represent an emerging vector for BlackSuit operations, with the group demonstrating the ability to compromise managed service providers and third-party software vendors, thereby gaining access to multiple downstream victims simultaneously. This strategy amplifies the potential impact of individual operations while minimizing the group's resource expenditure per victim.
BlackSuit ransomware represents a mature, well-resourced threat actor that combines sophisticated technical capabilities with proven operational experience gained from years of ransomware operations under previous identities. The group's evolution from Conti through Royal to BlackSuit demonstrates adaptability, resilience, and a strong commitment to maintaining operations despite law enforcement disruption efforts and industry defensive improvements.
Organizations across all sectors should implement comprehensive defensive measures specifically designed to counter BlackSuit's known attack vectors and techniques. Priority recommendations include maintaining offline backup systems with regular testing and verification procedures, implementing network segmentation to limit lateral movement opportunities, and deploying behavioral detection capabilities that can identify ransomware activities before encryption begins.
The threat posed by BlackSuit extends beyond immediate ransomware deployment to encompass data theft, operational disruption, and potential exposure of intellectual property or sensitive personal information. Organizations must prepare for the possibility of double extortion scenarios, where paying a ransom does not guarantee data confidentiality or prevent the publication of stolen information.
Given BlackSuit's demonstrated persistence, technical sophistication, and significant financial success, security professionals can anticipate that the group's capabilities will continue to evolve and its operations will expand throughout 2025 and beyond. Proactive defense measures, comprehensive incident response planning, and regular security assessments are essential components of an effective defense strategy against this advanced persistent threat.
