Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Ransomware Group

BlackSuit (Ransomware Group) – Threat Actor

April 14, 2024
Reading Time: 7 mins read
in Ransomware Group, Threat Actors
BlackSuit (Ransomware Group) – Threat Actor

xr:d:DAF957nHR8o:227,j:5261755148659324716,t:24041422

BlackSuit Ransomware Group

Other Names

BlackSuit, Black Suit, BlackSuit Virus

Location

Unknown

Date of initial activity

2023

Suspected attribution

Unknown

Associated Groups

Royal ransomware

Motivation

Financial gain. Files are encrypted and locked until the ransom is paid. BlackSuit operates using a double extortion method, encrypting and exfiltrating victim data on public data leak sites for those victims who fail to comply with their demands.

Associated tools

BlackSuit ransomware

Active

Yes

Overview

The BlackSuit ransomware operation emerged in early April/May of 2023. The group is a multi-pronged extortion outfit, encrypting and exfiltrating victim data and hosting public data leak sites for those victims that fail to comply with their demands. BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a compromised network.

The group is known for significant attacks against entities in the healthcare and education sectors, along with other critical industries. BlackSuit is a private operation in that there are no public affiliates.

BlackSuit payloads contain many technical similarities to Royal ransomware payloads such as similar encryption mechanisms and command-line parameters.

Common targets

Large enterprises and small to medium-sized businesses (SMBs) are targeted, though there does not appear to be any specific discrimination when it comes to industry or type of target. To date, BlackSuit targeting has favored those in the healthcare, education, information technology (IT), government, retail, and manufacturing industries.

Attack Vectors

Payloads are delivered via phishing email or third party framework (e.g., Empire, Metasploit, Cobalt Strike). The use of malicious torrent files has also been observed as a delivery vector for BlackSuit ransomware.

How they operate

The group emerged with payloads that support both Windows and Linux operating systems. Payloads are delivered via phishing email or third party framework (e.g., Empire, Metasploit, Cobalt Strike). The use of malicious torrent files has also been observed as a delivery vector for BlackSuit ransomware. BlackSuit payloads, on both Windows and Linux, utilize OpenSSL’s implementation of AES for data encryption, which supports the intermittent encryption options (-percent option). Linux payloads have the ability to target and manipulate VMWare ESXi servers, via the -killvm option, for example. BlackSuit encryption is extremely rapid. Local logical drive details are obtained upon launch at which time the ransomware will very quickly process through available files and folders on all reachable volumes. On Windows systems, the ransomware will attempt to inhibit system recovery by removing Volume Shadow Copies (VSS). This is handled via a hidden shell command which launches VSSADMIN.EXE with the /ALL and /Quiet options. BlackSuit ransom notes are written to all folders which contain encrypted items. The ransom notes are written as “README.BlackSuit.txt”. Once the ransomware infects a system, it uses the FindFirstFileW() and FindNextFileW() API functions to enumerate the files and directories, and initiates the encryption process. BlackSuit ransomware uses the Advanced Encryption Standard (AES) algorithm to encrypt files. The AES algorithm is a symmetric encryption algorithm that is widely used for encrypting data. BlackSuit ransomware uses OpenSSL’s AES for encryption, and leverages similar intermittent encryption techniques for fast and efficient encryption of victim files. If the victim fails to comply with their demands, BlackSuit will exfiltrate their data on public data leak sites.

Defense and Mitigations

Organizations can defend against ransomware attacks by implementing a comprehensive security framework that directs resources towards establishing a strong defense strategy. Here are some recommendations: • Create an inventory of assets and data • Identify authorized and unauthorized devices and software • Conduct audits of event and incident logs • Manage hardware and software configurations • Grant administrative privileges and access only when necessary • Monitor network ports, protocols, and services • Establish a whitelist of approved software applications • Implement measures for data protection, backup, and recovery • Enable multi-factor authentication (MFA) • Deploy up-to-date security solutions across all system layers • Remain vigilant for early indications of an attack

Significant Attacks

  • BlackSuit Ransomware lays claim to an early November cyberattack still disrupting the Henry County School system. (December 2023)
  • BlackSuit Ransomware claims attack on Group Health Cooperative of South Central Wisconsin. (April 2024)
References:
  • GHC-SCW: Ransomware gang stole health data of 533,000 people
  • Georgia county school district claimed by BlackSuit ransom gang
  • Royal ransomware gang adds BlackSuit encryptor to their arsenal
  • Investigating BlackSuit Ransomware’s Similarities to Royal
  • BlackSuit Ransomware: In-Depth Analysis, Detection, and Mitigation
  • BlackSuit Ransomware
Tags: BlackSuitCobalt StrikeData LeakGovernmentInformation TechnologyITMedium BusinessRansomware GroupSmall BusinessThreat Actors
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial