Experts
noticed
that
the
new
Linux
ransomware
BlackSuit
has
significant
similarities
with
the Royal
ransomware
family.
Royal ransomware
is
one
of
the most
notable
ransomware
families of
2022,
it
made
the
headlines
in
early
May
2023
with
the
attack
against
the
IT
systems
in
Dallas,
Texas.
The
human-operated Royal
ransomware first
appeared
on
the
threat
landscape
in
September
2022,
it
has
demanded
ransoms
up
to
millions
of
dollars.
The
Royal
ransomware
is
written
in
C++,
it
infected
Windows
systems
and
deletes
all
Volume
Shadow
Copies
to
prevent
data
recovery.
The
ransomware
encrypts
the
network
shares,
that
are
found
on
the
local
network
and
the
local
drives,
with
the
AES
algorithm
In
early
May,
the
Federal
Bureau
of
Investigation
(FBI)
and
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
released
a
joint Cybersecurity
Advisory
(CSA) to
provide
organizations,
tactics,
techniques,
and
procedures
(TTPs)
and
indicators
of
compromise
(IOCs)
associated
with
this
ransomware
family.
According
to
government
experts,
the
Royal
ransomware
attacks
targeted
numerous critical
infrastructure
sectors including,
manufacturing,
communications,
healthcare
and
public
healthcare
(HPH),
and
education.
In
May,
multiple
cybersecurity
experts
spotted
a
new
ransomware
family
called
BlackSuit,
including
Palo
Alto
Unit42
experts.
New
#ransomware
#BlackSuit
targets
Windows,
#Linux.
Extension:
.blacksuit.
ReadMe
file
name:
README.BlackSuit.txt.onion
link:
weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd[.]onion/?id=
md5:9656cd12e3a85b869ad90a0528ca026e(nix),
748de52961d2f182d47e88d736f6c835(win)
pic.twitter.com/v3SiLahREG—
Unit
42
(@Unit42_Intel)
May
3,
2023
In
the
same
period, some
researchers linked
the
new
ransomware
to
the
Royal
ransomware.
Then
Trend
Micro
researchers
initially
analyzed
a
Windows
32-bit
sample
of
the
ransomware
from
Twitter.
BlackSuit
appends
the .blacksuit extension
to
the
name
of
the
encrypted
files,
drops
a
ransom
note
into
each
directory
containing
the
encrypted
files,
and
adds
the
reference
to
its
TOR
chat
site
in
the
ransom
note
along
with
a
unique
ID
for
each
of
its
victims.
BlackSuit
ransomware
operators
also
set
up
a
data
leak
site.
Trend
Micro
researchers
compared
an
x64
VMware
ESXi
version
of
Blacksuit
targeting
Linux
machines
with
the
Royal
ransomware
and
discovered
an
extremely
high
degree
of
similarity
between
the
two
families.
“After
comparing
both
samples
of
the
Royal
and
BlackSuit
ransomware,
it
became
apparent
to
us
that
they
have
an
extremely
high
degree
of
similarity
to
each
other.”
reads
the
analysis
published
by
TrendMicro.
“In
fact,
they’re
nearly
identical,
with
98%
similarities
in
functions,
99.5%
similarities
in
blocks,
and
98.9%
similarities
in
jumps
based
on
BinDiff,
a
comparison
tool
for
binary
files.”
The
comparison
revealed
93.2%
similarity
in
functions,
99.3%
in
basic
blocks,
and
98.4%
in
jumps
based
on
BinDiff.
The
researchers
mapped
the
command-line
arguments
accepted
by
BlackSuit,
and
noticed
that
it
introduces
different
argument
strings
compared
to
Royal
ransomware.
“The
emergence
of
BlackSuit
ransomware
(with
its
similarities
to
Royal)
indicates
that
it
is
either
a
new
variant
developed
by
the
same
authors,
a
copycat
using
similar
code,
or
an
affiliate
of
the
Royal
ransomware
gang
that
has
implemented
modifications
to
the
original
family.”
concludes
the
report.
“One
possibility
for
BlackSuit’s
creation
is
that,
since
the
threat
actors
behind
Royal
(and Conti
before
it)
are
one
of
the most
active
ransomware
groups
in
operation
today,
this
may
have
led
to
increased
attention
from
other
cybercriminals,
who
were
then
inspired
to
develop
a
similar
ransomware
in
BlackSuit.
Another
option
is
that
BlackSuit
emerged
from
a
splinter
group
within
the
original
Royal
ransomware
gang.”
Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
Share
On
About Author
