BlackSuit Ransomware

First Identified: 2023

Operation style:
Private ransomware operation.

Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most frequently targeted industry:

• Industrials (Construction & Engineering)

Most frequently targeted victim HQ region: United States, North America

Known Associations:

• Ignoble Scorpius
• Conti Ransomware
• Hermes Ransomware
• Royal Ransomware
• Ryuk Ransomware
• Zeon Ransomware

Black Suit Ransomware was first discovered in May 2023 and operates in the double extortion method, where victim data is stolen and leaked via a data leak site if the ransom demand is not paid. Black Suit has been assessed to be a likely rebrand of the Royal ransomware operation due to the similarities in their binaries.

Black Suit operators have been reported to often demand between $1 million and $10 million ransom demands from victims.

Black Suit ransomware operators have been observed gaining initial access via social engineering attacks, torrent websites, malicious ads, and deployment via additional malware.

The 32-bit Windows variants of the Black Suit and Royal ransomware variants share a 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% similarity in jumps. Both variants also use OpenSSL’s AES for encryption and leverage similar intermittent encryption technique. The Black Suit and Royal Linux ransomware share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps.

Black Suit uses OpenSSL’s AES for encryption and uses an intermittent encryption technique to accelerate the encryption process. Black Suit, similar to Royal, prepares the files for encryption by rounding up the file size to the nearest multiple of 16, after which 41 bytes are added. A check is then performed for the file being encrypted to determine if the size is greater than 0x40000h. If the condition is met, it will use the value set using “-percent.” The number of bytes to be used for intermittent encryption is then calculated using the same formula found in the Linux version of Royal ransomware. When files are encrypted they are appended with the “.blacksuit” extension.

Similar to Royal, Black Suit is not considered to be a ransomware-as-a-service (RaaS); there are no known affiliates of the Black Suit ransomware operation. Additionally, Royal had been tied to the Conti ransomware operation that ended in 2022; it is widely believed the group splintered into multiple smaller groups and rebranded to evade law enforcement detection.

In October 2024, Barracuda researchers reported that the Black Suit operation was likely the sixth generation of the Hermes ransomware. Hermes was first observed being sold on cybercriminal forums in 2016. Hermes was then linked to the Ryuk operation in 2018 based on code similarities. Ryuk was then assessed to operate the Conti Ransomware operation in 2019. Conti operated until 2022 when a Ukrainian researcher with access to Conti resources leaked their operations’ information. Zeon Ransomware was then identified in 2022, the Zeon operation rebranded to Royal Ransomware.

In 2023, Royal Ransomware operators were observed testing a new encryptor, Black Suit, which led to the assessment the group was likely going to rebrand. In May 2023, Black Suit was observed with a data leak site and began posting purported victims’ data.

This operation highlights the continuous rebranding, shifting, and the long lineage the current day ransomware operations likely have.