Security researchers from Trend Micro have conducted an analysis of the newly discovered BlackSuit ransomware and found significant similarities with the Royal ransomware family. The Linux variant of BlackSuit shares an “extremely high degree of similarity” with Royal, including 98% similarities in functions, 99.5% in blocks, and 98.9% in jumps. BlackSuit, which was first observed in May 2023, employs a double extortion scheme, targeting both Windows and Linux hosts to steal and encrypt sensitive data in compromised networks.
The overlap between BlackSuit and Royal suggests that BlackSuit may be a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang with modifications. Both strains utilize OpenSSL’s AES encryption and employ similar intermittent encryption techniques to speed up the encryption process. However, BlackSuit incorporates additional command-line arguments and avoids encrypting specific file extensions during its operations.
The findings highlight the ever-evolving nature of the ransomware ecosystem, with threat actors constantly modifying existing tools to generate illicit profits. It is possible that BlackSuit emerged from a splinter group within the original Royal ransomware gang or represents a new offshoot of the Conti team, from which Royal originated. This underscores the challenges faced by organizations in protecting their data and mitigating the impact of ransomware attacks.
As the threat landscape continues to evolve, new ransomware variants and tactics emerge, such as the triple extortion approach seen in the NoEscape ransomware-as-a-service (RaaS) initiative. This method combines data exfiltration, encryption, and distributed denial-of-service (DDoS) attacks to maximize the impact on victims. The operators of NoEscape offer a DDoS service for an additional fee, targeting entities outside the Commonwealth of Independent States (CIS) countries. The dynamic and lucrative nature of ransomware demonstrates the importance of robust cybersecurity measures and proactive defense strategies.
