HQ/EMEAFind out how we can help your business
The newly discovered BlackSuit ransomware shares some overlaps with the notorious Royal ransomware group. Based on reports, this new ransomware family could target Linux and Windows users. These details imply that the newly emerged threat could be a copycat or a new affiliate of Royal.
According to researchers, the BlackSuit ransomware has a Windows 32-bit version and an ESXi 64-bit version. Moreover, the campaign attaches the file extension [.]blacksuit to every encrypted file.
The campaign also leaves a ransom note that contains information regarding the attack, a unique ID for the affected individual, and a TOR that the victim could visit to contact the attackers. In addition, the malware operators utilise a data leak website to publish leaked information once a victim does not comply with their demands. However, the website currently displays a single entity.
The BlackSuit ransomware showed it has the same feature as Royal in its Linux sample.
Based on reports, the Linux variant of the BlackSuit ransomware has the same YARA rule that matches the Royal source code. Further analysis has also shown that the two malicious entities have several similarities.
The first obvious similarity is that the BlackSuit supports using multiple command-line arguments. However, it only includes some additional arguments the Royal ransomware does not possess. Both malware strains have also leveraged comparative intermittent encryption techniques, OpenSSL’s AES encryption algorithm and the same formulas and numbers for encrypted file size.
The researchers also compared the malware strains’ 32-bit samples and revealed a 99.3% resemblance in basic blocks, 98.4% in jumps, and 93.2% in used functions. Lastly, both 64-bit models of malicious entities have 98% similarities in processes, 99.5% in blocks, and 98.9% in BinDiff-based jump statements.
The BlackSuit ransomware operations have yet to admit their connections to the Royal ransomware operations. However, researchers suspect this could be a new malware variant or an impersonated version of Royal’s source code and branding.
Regardless of the true nature of the ransomware, organisations should be cautious with BlackSuit since it could inflict damages the same as the Royal ransomware operation. Hence, treat BlackSuit as a notorious malicious entity threatening the cybersecurity landscape.
