Heimdal
article featured image

Contents:

The testing phase of BlackSuit, a new encryptor developed by the Royal ransomware gang, has commenced. This encryptor bears striking resemblances to the typical encryptor used by the gang in their operations.

Following the shutdown of the infamous Conti operation in June 2022, Royal emerged in January 2023 as its apparent successor.

The private ransomware operation known as Royal Ransomware consists of skilled pentesters, affiliates from ‘Conti Team 1,’ and recruits from other ransomware gangs focusing on enterprises. The APT group has gained notoriety as one of the most prolific operations, carrying out numerous targeted attacks on businesses.

BlackSuit Testing

In late April, rumors started circulating about the Royal ransomware operation preparing to adopt a fresh identity. This speculation gained momentum following their attack on the City of Dallas, Texas.

In May, a new ransomware operation called BlackSuit emerged, employing its own distinctive encryptor and Tor negotiation sites. It was initially speculated that this could be the rebranded version of the Royal ransomware group.

However, Royal continues to engage in ongoing attacks against enterprises, occasionally utilizing the BlackSuit variant in limited attacks.

As per BleepingComputer, it is possible that Royal is simply testing a new encryptor, as they have been with other tools used by the group, including a new loader, IcedID, and a revitalizing of Emotet.

A recent report highlights striking resemblances between the BlackSuit and Royal Ransomware encryptors, rendering it difficult to argue that BlackSuit is indeed a fresh ransomware operation.

These resemblances include shared command line arguments, similarities in code structure, common exclusions of certain files, and comparable intermittent encryption techniques.

Although the specific intentions for BlackSuit remain unclear, it is currently being actively employed in a limited number of cyberattacks. On their data leak site, the operation lists one victim, but if the new encryptor is heavily used, that could quickly change.

The complete comparison can be found here.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE