BlackSuit Ransomware: An Emerging Apex Cyber Threat
BLUF: Hardened ransomware actors originally from the CONTI group are demanding high ransom amounts and releasing victim data, in an operation named after its payload file extension: BlackSuit.
Here’s what you need to know:
BlackSuit is a ransomware group that was created in 2023. Blacksuit is considered an ‘apex’ cyber predator and criminal malware operation. They also excel in hostile negotiation tactics in the context of extortion.
Since May 2023, BlackSuit has targeted over 98 organizations globally, with a focus on critical sectors in the United States, United Kingdom, and Canada. Victims include healthcare, education, manufacturing, government, defense contractors, and commercial facilities, including a June 2024 Breach against CDK global in which the group extorted the automotive IT company for $25 mil in ransom - the third largest payment ever.
Trusted Internet is proactively monitoring for and blocking all known attack indicators related to this operation, including those just released by CISA and the FBI. 
Discussion and detail:
To date, BlackSuit has demanded ransoms reaching as high as $60 million, and over $500 million in total. While willing to negotiate, the group's average demand still hovers around $2.5 million. Attacks have led to significant business disruption, damaged emergency services, and leaked sensitive data and intellectual property.
Tactics, Techniques & Procedures
Initial access to victim networks is gained primarily through phishing emails, exploitation of vulnerable VPNs and internet-facing apps, and compromised RDP credentials, often purchased from “initial access brokers” on the dark web.
Once in, they use common tools like Mimikatz, GMER, and for credential theft, process killing, and maintaining access to the compromised system (persistence). Common no cost and open-source tools such as Chisel, Secure Shell (SSH) client, PuTTY, OpenSSH, and MobaXterm are used for network tunneling.
SystemBC and is used for persistence, while Gootloader malware
is often used to extract data. (BlackSuit is known to exfiltrate large volumes of data prior to encryption for double-extortion leverage.)
The group's ransomware payload, which appends the “. blacksuit" extension, has significant code overlap with Royal's, but exhibits improved capabilities. It terminates processes and deletes shadow copies to thwart recovery, while maintaining a whitelist to keep systems bootable for decryption.
BlackSuit is increasingly applying pressure through phone calls and emails to victims, and has even threatened to "swat" hospital cancer patients. Stolen data is mined for evidence of exfiltration to further coerce payment. Blacksuit are seasoned negotiators and masters of leverage in the context of extortion. They have been known to threaten family members of executives in the victim organization they are negotiating with, calling or texting spouses.
Attribution and History
BlackSuit has substantial similarities to Royal, including near-identical negotiation language observed during incidents. Royal is an offshoot of the now-immobilized Conti gang, pointing to likely Russian-speaking cybercriminal origins.
January 2022, the group initially named their ransomware Zeon.
Summer 2022 (NFI) Zeon was linked to Conti Team One.
Sep 2022: Royal ransomware emerged and is suspected to be run by former members of Conti Team One.
(The Royal group has seasoned cybercriminals behind it from Conti. Some were even part of developing Ryuk ransomware (Conti's predecessor), giving them years of experience running ransomware attacks.)
Conti was dismantled after a major data leak related to the gang's public support for Russia in the Russia-Ukraine war. Conti Team One members regrouping as Royal. Those same ‘Conti-Leaks’ (dumps of their internal chats with developers, victims, launderers) revealed this group to be conducting heavy R&D.
Our Recommendations
To defend against the BlackSuit ransomware threat, according to official FBI/CISA coverage:
Proactively patch known VPN and firewall vulnerabilities that BlackSuit exploits for initial access.
Implement MFA for RDP and VPN and monitor for anomalous login patterns that could signal compromised credentials.
Employ endpoint detection and response (EDR) tools to identify usage of BlackSuit's favored legitimate utilities like Mimikatz in the attack chain.
Maintain regular, immutable offline data backups to enable recovery without paying ransoms.
Conduct workforce phishing education, user behavior modification (e.g. KnowB4), and implement email filtering to neutralize BlackSuit's primary intrusion vector.