CISA, FBI: Royal Ransomware Now BlackSuit, Exceeds $500M in Victim Demands
The ransomware formerly known as Royal has rebranded and now operates under the name BlackSuit. Within the first few months of their renewed activity, the extortionists have demanded over $500 million in ransom, with the largest individual ransom request amounting to $60 million. The FBI and CISA have updated their warnings about Royal’s activities, confirming the long-standing rumors that the group has rebranded as BlackSuit. From September 2022 to July 2023, the perpetrators operated under the name Royal, and since then, they have adopted the new name BlackSuit.
An analysis of the hacker code revealed numerous similarities between Royal and BlackSuit, establishing a connection between them. BlackSuit has demonstrated enhanced capabilities compared to Royal. Phishing emails remain the primary method for initial access. Subsequently, antivirus software is disabled, large volumes of data are exfiltrated, and ransomware is deployed.
In recent cases, victims have received phone calls or emails from extortionists with threats and ransom demands. According to Sophos, several ransomware groups employ this method to pressure victims and their clients, threatening to publicize the data. However, this tactic has often failed, as companies tend to make ransom payment decisions based on practical considerations, such as business downtime and regulatory requirements.
A new FBI technical report indicates that hackers use legitimate tools to navigate victims’ systems and, in some cases, use actual accounts for remote access. Cybercriminals also disable antivirus software and employ remote monitoring and management software to maintain access to the victims’ networks.
BlackSuit has claimed responsibility for several recent attacks, including an attack on the major Japanese media conglomerate Kadokawa and the medical company Octapharma Plasma.
It is worth recalling that in 2023, the group also encrypted data in various Dallas city systems used by the police, fire department, courts, and other services. Police officers still have to keep records by hand, and firefighters complain that they receive insufficient information from dispatchers, sometimes leading them to the wrong addresses.
Additionally, in June, the major technology company CDK Global fell victim to a BlackSuit attack that paralyzed the company’s servers for two weeks. As a result, around 15,000 auto dealers across the United States, including networks such as Asbury, AutoNation, Group 1, Lithia, and Sonic, faced halted sales and vehicle registrations. Ultimately, the company paid the extortionists $25 million in Bitcoin to resume operations.
