According to recent reports, the Royal ransomware gang has begun testing a new encryptor called BlackSuit, which shares many similarities with the operation’s usual encryptor.
BlackSuit is a new ransomware family that was first discovered in May 2023, and it has been found to be significantly similar to the Royal ransomware family. The similarities between the two ransomware strains have led researchers to speculate that BlackSuit is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.
It appears that since late April, there have been rumors that the Royal ransomware operation was planning to rebrand under a new name, possibly due to increased pressure from law enforcement after attacking the City of Dallas, Texas. In May, a new ransomware operation called BlackSuit was discovered, which used its own branded encryptor and Tor negotiation sites. Some researchers speculated that BlackSuit was the new name for the Royal ransomware group, but a rebranding never occurred, and the Royal group is still actively attacking enterprises while using BlackSuit in limited attacks.
According to Yelisey Bohuslavskiy from RedSense, the Royal gang uses both Royal and BlackSuit lockers, with Emotet and IcedID as precursors. They are focused on developing custom precursor loaders and exploring alternatives to CobaltStrike, such as Sliver. While they experiment with new tools like the BlackSuit locker, it’s possible that these attempts are considered failed experiments.
The BlackSuit operation seems to be self-contained, possibly indicating that Royal is planning to launch a subgroup targeting specific types of victims or saving it for a future rebranding.
However, a rebranding may no longer be effective, as a report by Trend Micro reveals clear similarities between the BlackSuit and Royal ransomware encryptors, making it difficult to convince others that it is a completely new operation. Although the extent of the BlackSuit encryptor’s use is uncertain, it has been observed in a small number of attacks, with ransom amounts currently below $1 million. While only one victim is listed on their data leak site at present, that could change if the BlackSuit encryptor is more widely deployed.
It is still unclear if the BlackSuit encryptor is the beginning of a new Royal gang subgroup or a failed experiment. Nonetheless, network defenders should be aware of the expertise possessed by Royal in breaching networks and deploying their encryptors.