BlackSuit Ransomware was first discovered in May 2023 and operated in the double extortion method, where victim data was stolen and leaked via a data leak site if the ransom demand was not paid. BlackSuit was assessed to be a likely rebrand of the Royal ransomware operation due to the similarities in their binaries.
BlackSuit operators were reported to often demand between $1 million and $10 million ransom demands from victims.
BlackSuit Ransomware operators were reported to gain initial access via social engineering attacks, torrent websites, malicious ads, and deployment via additional malware.
The 32-bit Windows variants of the BlackSuit and Royal ransomware variants shared a 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% similarity in jumps. Both variants also used OpenSSL’s AES for encryption and leveraged similar intermittent encryption techniques. The BlackSuit and Royal Linux ransomware shared 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps.
BlackSuit used OpenSSL’s AES for encryption and used an intermittent encryption technique to accelerate the encryption process. BlackSuit, similar to Royal, prepared the files for encryption by rounding up the file size to the nearest multiple of 16, after which 41 bytes were added. A check was then performed for the file being encrypted to determine if the size was greater than 0x40000h. If the condition was met, it would use the value set using “-percent.” The number of bytes used for intermittent encryption was then calculated using the same formula found in the Linux version of Royal ransomware. When files were encrypted, they were appended with the “.blacksuit” extension.
Similar to Royal, BlackSuit was not considered to be a ransomware-as-a-service (RaaS); there were no known affiliates of the BlackSuit ransomware operation. Additionally, Royal had been tied to the Conti ransomware operation that ended in 2022; it is widely believed the group splintered into multiple smaller groups and rebranded to evade law enforcement detection.
In October 2024, Barracuda researchers reported that the BlackSuit operation was likely the sixth generation of the Hermes ransomware. Hermes was first observed being sold on cybercriminal forums in 2016. Hermes was then linked to the Ryuk operation in 2018 based on code similarities. Ryuk was then assessed to operate the Conti Ransomware operation in 2019. Conti operated until 2022 when a Ukrainian researcher with access to Conti resources leaked their operations’ information. Zeon Ransomware was then identified in 2022, the Zeon operation rebranded to Royal Ransomware.
In 2023, Royal Ransomware operators were observed testing a new encryptor, BlackSuit, which led to the assessment the group was likely going to rebrand. In May 2023, BlackSuit was observed with a data leak site and began posting purported victims’ data.
This operation highlights the continuous rebranding, shifting, and the long lineage the current day ransomware operations likely have.
In August 2025, international authorities announced the takedown of BlackSuit’s infrastructure in an operation dubbed “Operation Checkmate”. The U.S. Department of Justice (DoJ) announced the takedown of four servers and nine domains associated with the operation and the seizure of cryptocurrency worth more than $1 million.
Security researchers have since linked a recently identified ransomware operation, Chaos, to the BlackSuit operators. The link was made based on overlapping tradecraft, encryption commands, theme and structure of the ransom note, and overlapping tool use such as remote management and monitoring (RMM) tools.
