CISA, FBI Issue Updated Warning Confirming Royal Ransomware Has Rebranded as BlackSuit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about the BlackSuit ransomware group, which CISA and the FBI have confirmed today is a rebrand of the Royal ransomware – A group responsible for many attacks on healthcare organizations.
CISA and the FBI first issued a warning about the Royal ransomware group in March 2023 and updated the alert in November 2023 to include new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs). The latest update confirms that, not for the first time, the ransomware group has rebranded. Members of the group are believed to have been part of the Conti ransomware operation, a highly professional and extremely prolific ransomware group that ceased operations in the summer of 2022 and split into several smaller groups.
Royal Ransomware first appeared in September 2022, but the members of the group are believed to have split from Conti in early 2022 when they started out on their own under the name Zeon. Initially, the group used third-party encryptors before developing their own encryptor in 2022 when they rebranded as Royal. The group rapidly grew into one of the most prolific ransomware operations, even temporarily replacing LockBit as the most prolific ransomware group in November 2022 when the group added 43 new victims to its data leak site. In December 2022, the Health Sector Cybersecurity Coordination Center issued an analyst note about the group and a warning after several ransomware attacks on the healthcare and public health (HPH) sector. Revenetics, Morris Hospital & Healthcare Centers, and OctaPharma have all fallen victim to Royal ransomware attacks.
Royal remained one of the most prolific ransomware groups for two years until the attack on the City of Dallas, TX in June 2023. Following that attack, the group started using a new encryptor called BlackSuit. CISA and the FBI are confident that BlackSuit is a rebrand due to several coding similarities with Royal ransomware. Royal ransomware attacks also stopped at the same time that BlackSuit emerged. HC3 issued its first warning about the new BlackSuit ransomware group in November 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
BlackSuit is a highly capable private ransomware group rather than a ransomware-as-a-service operation, that engages in double extortion tactics, stealing sensitive data before encrypting files and demanding payment to prevent the stolen data from being leaked as well as requiring payment for the keys to decrypt files. BlackSuit has not only changed name, as BlackSuit has a number of improved capabilities to its predecessor. BlackSuit uses several methods for initial access including Remote Desktop Protocol (RDP), exploiting vulnerabilities in public-facing applications, and the group is also known to use initial access brokers, but the most successful method of initial access has been phishing emails.
After gaining initial access, the group disables antivirus software, uses RDP, PsExec, and SMB for lateral movement, and legitimate remote monitoring and management software to maintain persistence, as well as SystemBC and Gootloader malware to load additional tools and maintain persistence. SharpShares and SoftPerfect NetWorx are used to enumerate victim networks, Mimikatz and Nirsoft password harvesting tools are used for credential theft, and PowerTool and GMER are used to kill system processes. The group is known to use penetration testing tools such as Cobalt Strike and a host of malware tools, including Ursnif/Gozi for data aggregation and exfiltration.
Despite only being in operation for a year, BlackSuit has already demanded ransom payments in excess of $500 million, with ransom demands typically in the region of $1 million to $10 million. The largest single ransom demand was a staggering $60 million. Like many other ransomware groups, victims must first make contact with the group to find out how much they must pay for the decryption keys and to prevent the publication of their data, and while the group is known to issue very large ransom demands, the group appears willing to negotiate with victims and accept a lower payment. Nonpayment will result in the publication of the stolen data; however, paying a ransom is no guarantee that stolen data will be deleted nor that working decryption keys will be provided.
CISA and the FBI have shared TTPs and IoCs associated with BlackSuit in the latest alert along with a list of recommended mitigations. Given the extent to which the group has targeted healthcare organizations, the alert is essential reading for network defenders, who should strongly consider implementing all recommended mitigations if they have not done so already.
