CISA Warns that Royal Ransomware Has Rebranded as BlackSuit

The notorious Royal ransomware group has rebranded itself as BlackSuit, according to an announcement by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

The agencies have released an updated advisory detailing the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with both Royal and the newly rebranded BlackSuit ransomware.

The updated advisory provides critical insights for network defenders, emphasizing the ransomware's targeting of various sectors, including commercial facilities, healthcare, public health, government facilities, and critical manufacturing. The rebranding marks a significant evolution in the threat landscape, with BlackSuit exhibiting enhanced capabilities and a broader range of attack vectors.

From Royal to BlackSuit

The FBI identified the TTPs and IOCs associated with BlackSuit through extensive investigations and third-party reporting as recently as July 2024. These findings indicate a continuation and expansion of the tactics previously employed by the Royal ransomware actors. The joint Cybersecurity Advisory, initially published in March 2023, has now been updated twice to reflect these developments, with the latest update on August 7, 2024.

BlackSuit ransomware, much like its predecessor, utilizes data exfiltration and extortion tactics. Phishing emails remain the most common vector for initial access, followed by the exploitation of Remote Desktop Protocol (RDP) and vulnerable public-facing applications. Once access is gained, BlackSuit actors disable antivirus software and exfiltrate data before deploying the ransomware to encrypt systems. The ransom demands typically range from $1 million to $10 million, with payments made in Bitcoin. Notably, the largest ransom demand observed was $60 million.

The BlackSuit ransomware has impacted numerous critical infrastructure sectors, including:

• Commercial facilities
• Healthcare and public health
• Government facilities
• Critical manufacturing

Each of these sectors represents a significant portion of the economy and public welfare, underscoring the serious implications of BlackSuit's activities. In late June, we also reported about a BlackSuit attack on Kadokawa Corporation, a prominent Japanese media company that suffered severe operational disruptions as a result.

The threat group's rebranding is a sign of continuous evolution for their capabilities and intention to evade law enforcement crackdowns as they continue to pose a threat to organizations worldwide.

To defend against BlackSuit and most ransomware, prioritize vulnerability remediation, enable multi-factor authentication on admin accounts, implement network segmentation to restrict lateral movement, and maintain offline, encrypted backups of your most critical data.