THREAT ACTOR

BlackSuit

5
THREAT LEVEL
EMERGENCE DATE
Apr 2023
CATEGORY
Independent Ransomware Operation
AFFILIATIONS

Royal ransomware (predecessor), Conti heritage

DEscription

BlackSuit ransomware emerged in May 2023 as a rebrand of Royal ransomware, operating as a private group rather than Ransomware-as-a-Service (RaaS). Building on double extortion tactics and evasion techniques, the group accumulated over $500 million in total ransom demands with individual demands reaching $60 million. The operation maintained 98% code overlap with Royal and traced its lineage back through the Conti syndicate.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Ransomware Operation

Operating as a Closed Ransomware Operation, BlackSuit maintained centralized control without affiliate infrastructure or revenue sharing. The group demonstrated 98% code overlap with Royal ransomware and traced its lineage back through the Conti syndicate, inheriting proven operational methodologies and technical capabilities.

This model enabled full profit retention and direct victim engagement through aggressive negotiation tactics, including phone calls and emails. Technical improvements over Royal included 50% faster encryption speeds and enhanced exfiltration capabilities across Windows, Linux, and VMware ESXi environments, distinguishing BlackSuit from traditional RaaS operations.

Current Status: Infrastructure seized by international law enforcement in July 2025 as part of Operation Checkmate, with domains and servers taken offline and cryptocurrency assets frozen.

Threat Level:
5

Origins and Methodology

Representing a calculated evolution in ransomware operations, BlackSuit demonstrated the ransomware ecosystem's adaptability through strategic rebranding. The group's emergence from Royal operations indicated the threat actors' ability to maintain continuity while evading law enforcement attention.

Technical heritage from the Conti syndicate provided proven attack methodologies, including systematic data exfiltration before encryption and aggressive negotiation tactics. The closed operational model eliminated affiliate-related security risks while enabling rapid tactical adaptation.

What is the Evolution of BlackSuit Ransomware?
0.1
Formation

The group branched off from Royal in May 2023, carrying over core functionality and operational procedures. Technical improvements included 50% faster encryption speeds and enhanced multi-platform capabilities. Initial targets demonstrated continuity with Royal's victim selection, focusing on organizations with limited incident response capabilities and cyber insurance coverage.

0.2
EVOLUTION

Integration of SystemBC, Brute Ratel, and RClone built upon existing capabilities to expand persistence and exfiltration functionality. The group refined negotiation strategies through direct victim contact, including phone calls and email correspondence. Infrastructure evolution incorporated distributed command servers across multiple jurisdictions, complicating takedown efforts until the eventual July 2025 law enforcement action.

0.3
Lineage/Connections

The Royal-to-BlackSuit evolution carried forward the Conti syndicate's operational playbook, including double extortion methodology and enterprise-focused targeting. The 98% code overlap with Royal revealed minimal technical divergence, suggesting rebranding rather than substantial innovation. Personnel continuity from Conti through Quantum, Royal, and BlackSuit represented one of ransomware's most persistent operational lineages.

Which Unique Techniques Does BlackSuit Use?

Emerging from experienced operators with proven methodologies, BlackSuit employed multi-vector attack strategies refined through the Royal and Conti lineages.

TECHNIQUE

DETAILS

Infection Vectors

Primary access occurs through phishing campaigns with malicious PDF attachments exploiting known vulnerabilities. RDP compromise comprises 13.3% of incidents through credential stuffing and brute force attacks. Initial Access Brokers provide network entry, while trojanized software and malicious advertisements expand the attack surface.

The group leverages public-facing application exploits (T1190) and valid accounts (T1078) obtained from underground markets.

Target Selection

Strategic focus centers on critical infrastructure and organizations with operational continuity requirements. United States water utilities face particular targeting, alongside education, construction, and manufacturing sectors.

Geographic concentration spans North America and Europe, with emerging campaigns in Asia-Pacific regions where security maturity varies significantly.

Operational Complexity

Pre-deployment reconnaissance utilizes SharpShares, AdFind, and SoftPerfect NetWorx for comprehensive network mapping. Cobalt Strike beacons enable lateral movement alongside Mimikatz for credential harvesting.

PowerShell scripts systematically disable security controls before ransomware deployment, demonstrating advanced understanding of enterprise defense mechanisms.

Key Features & Technical Details

Architectural features enabled rapid encryption while evading modern endpoint detection systems.

FEATURE

DETAILS

Encryption Method

AES-256 via OpenSSL libraries with configurable partial encryption for speed optimization

File Extension

.blacksuit appended to encrypted files

Ransom Note

README.BlackSuit.txt dropped in affected directories

Double Extortion

File encryption combined with data theft, public leak site threats within 72 hours

Communication Channels

Tor-based negotiation portals with backup SOCKS proxy infrastructure

Deployment Speed

24-hour typical dwell time from initial access to encryption

Payment Method

Bitcoin exclusive, demands from $1 million to $60 million

Operational Model

Private group model with direct victim contact via phone/email

Activities

BlackSuit recorded significant activity throughout 2024, with 20 incidents documented in Q4 2024 alone targeting critical infrastructure. International law enforcement seized BlackSuit's infrastructure in July 2025 as part of Operation Checkmate, taking control of negotiation and data leak sites while freezing over $1M in cryptocurrency assets.

Which Industries Are Most Vulnerable to BlackSuit?

The education sector topped BlackSuit's target list due to limited security budgets and valuable research data. Healthcare organizations faced severe operational impacts from encryption, with patient care systems frequently targeted for maximum pressure.

Critical infrastructure entities, particularly in energy and utilities, experienced systematic targeting due to their essential services and payment capacity. Manufacturing and professional services rounded out primary victims, where operational disruption translated directly to revenue loss.

HAL Most Recent Attacks

Modus Operandi

The threat actor's attack methodology reflected years of operational refinement inherited from the Royal and Conti playbooks, as the group carried out multi-stage attacks with precision.

Details

Leveraging phishing emails with malicious PDF attachments (T1566.001/T1566.002), the group exploited public-facing applications (T1190) and utilized valid accounts (T1078) from compromised credentials. Remote Desktop Protocol (T1133) served as a common entry vector, with VPN vulnerabilities providing alternative access routes.

Details

Network mapping and high-value target identification employed SharpShares, AdFind, and SoftPerfect NetWorx to enumerate shares and domain structures. BloodHound facilitated privilege escalation path discovery, while custom scripts identified backup systems for targeted destruction.

Details

Deploying SystemBC backdoor for persistent access, the group established Cobalt Strike beacons across compromised networks. Brute Ratel provided advanced evasion capabilities, while AnyDesk and TeamViewer enabled legitimate-appearing remote access.

Details

DLL side-loading techniques bypassed application whitelisting, while safe mode operation circumvented security controls. The group modified Windows Defender settings and terminated security processes using BYOVD (Bring Your Own Vulnerable Driver) techniques for kernel-level access.

Details

Mimikatz deployment harvested credentials from memory, while LaZagne extracted stored passwords. LSASS dumping through ProcDump provided additional credential material. Kerberoasting attacks targeted service accounts for offline cracking.

Details

SOCKS proxy infrastructure at 143.244.146.183:443 provided primary communication channels. CloudFlare tunneling obscured command traffic, while DNS over HTTPS evaded network monitoring. Backup C2 servers across multiple jurisdictions ensured operational resilience.

Details

RDP hopping leveraged harvested credentials for network traversal. SMB exploitation and PsExec-based propagation spread ransomware payloads. Windows Management Instrumentation (WMI) enabled stealthy remote execution across domain-joined systems.

Details

Tools including RClone, Brute Ratel, MegaSync, and custom Qt-based utilities extracted sensitive data before encryption. CloudFlare Workers and AWS S3 buckets served as staging infrastructure. Bandwidth throttling avoided detection during multi-terabyte transfers.

Details

Creating scheduled tasks and modifying registry keys for autostart ensured survival across reboots. WMI event subscriptions provided fileless persistence, while Group Policy modifications maintained network-wide access.

Details

Critical file encryption using AES-256 algorithms rendered systems inoperable. Volume shadow copy deletion prevented recovery, while backup system targeting eliminated restoration options. Service disruptions averaged 21 days with complete recovery extending to 45 days for complex environments.

Details

Deploying AES-256 encryption via OpenSSL libraries, the ransomware implemented configurable partial encryption for rapid file locking. Multi-threading accelerated encryption across network shares, while safe mode deployment bypassed active security controls.

Details

Direct victim contact via phone and email accelerated negotiation timelines. Partner and customer notification threats increased pressure, while 72-hour deadlines for initial contact created urgency. Progressive data release schedules maintained negotiation leverage throughout discussions.

Details

Executing vssadmin.exe delete shadows eliminated recovery options. BCDEdit modifications prevented safe mode recovery, while Windows Event Log clearing obscured forensic evidence. Cipher.exe overwrote deleted files to prevent recovery.

Indicators of Compromise (IOCs)

Key indicators helped identify BlackSuit operations within networks, particularly specific file hashes, network infrastructure, and behavioral patterns.

INDICATOR

DETAILS

File Hashes

SHA256: a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526 for primary ransomware binary
MD5: 921df888aaabcd828a3723f4c9f5fe8b8379c6b7067d16b2ea10152300417eae for SystemBC backdoor component

IP Addresses

89.251.22.32 (Cobalt Strike C2)
143.244.146.183:443 (SOCKS proxy infrastructure)
45.141.87.218 (Arechclient2/SecTopRAT)
180.131.145.61 (SystemBC infrastructure)

Domains/URLs

Bublup (Exfiltration endpoint)

File Paths

C:\ProgramData\README.BlackSuit.txt (Ransom note location)
%TEMP%\SystemBC.exe (Backdoor installation path)

File Extensions

.blacksuit

Behavioral Patterns

vssadmin.exe delete shadows (Shadow copy deletion)
bcdedit /set recoveryenabled no (Recovery prevention)
netsh advfirewall set allprofiles state off (Firewall deactivation)

Exploits and Vulnerabilities

The group actively exploited enterprise vulnerabilities for initial access and lateral movement, focusing on widely-deployed infrastructure components.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Microsoft Exchange Server

CVE-2021-26855

9.8

ProxyLogon pre-auth RCE vulnerability

Citrix ADC/Gateway

CVE-2019-19781

9.8

Directory traversal enabling code execution

PaperCut NG/MF

CVE-2023-27350

9.8

Authentication bypass to admin access

Oracle WebLogic

CVE-2017-10271

9.8

XML deserialization RCE

Oracle WebLogic

CVE-2019-2725

9.8

Deserialization without authentication