The Royal ransomware group has rebranded — ‘BlackSuit’ has already made $500 million in ransom demands and has the FBI on red alert

The Royal ransomware operation has rebranded to the name ‘BlackSuit’, according to an alert from the FBI and CISA , with both agencies warning the group has already demanded half a billion in ransom payments.

The joint advisory was released to disseminate the group’s known IOCs and TTPs using evidence the FBI gathered during its own threat response engagements, as well as information from third-parties from as recently as July 2024.

According to research from Trend Micro, the group first appeared under the name ‘Zeon’ in 2022 and deployed a BlackCat encryptor in its earliest campaigns before switching to its own variant.

After announcing itself on the scene, the group was immediately linked to the Conti group after it was observed distributing ransom notes with clear similarities to the notorious Russian outfit.

Security researchers noticed the group had dropped the Zeon name and started to refer to itself as the Royal ransomware family in its ransom notes.

Trend Micro’s report stated that Royal ransomware ‘hit the ground running’, immediately becoming one of the most prolific digital extortion operations in the fourth quarter of 2022, only behind ransomware royalty LockBit and BlackCat.

Using data from the three groups’ leak sites, Trend Micro estimated that the trio were responsible for the highest number of successful attacks in the three month period, with Royal accounting for 10.7% of those.

Threat intelligence platform DarkFeed claimed the group was the most prolific ransomware operation in November 2022, knocking LockBit off the top spot for the first time.

One of the higher profile attacks launched by Royal targeted the British Formula One circuit Silverstone, which was posted on the group’s leak site on November 8 2022.

BlackSuit exhibits ‘improved capabilities’ over Royal ransomware predecessor

The alert from CISA and the FBI stated that BlackSuit has a number of coding similarities with its Royal predecessor, but exhibits improved capabilities.

In terms of the group’s tactics, like most ransomware operations BlackSuit has been observed conducting its data exfiltration and extortion activities prior to encryption, publishing the victim’s data to a leak site if they fail to pay the ransom.

The group’s most successful attack vectors are using phishing emails, according to CISA, and once initial access is achieved, the group has been observed disabling antivirus software and exfiltrating large volumes of data before deploying its ransomware and encrypting systems.

The advisory listed a series of alternative initial access techniques the group has been observed employing in its attacks, including targeting the remote desktop protocol (RDP), public-facing applications, as well as using third-party initial access brokers.

Discover a platform that actively protects sensitive data

Since adopting its new name, BlackSuit’s typical ransom demands have fallen in the $1 – 10 million range, usually required to be made using Bitcoin, with the alert noting the group has exhibited a willingness to negotiate payment amounts.

The joint advisory estimated that BlackSuit affiliated threat actors have demanded over $500 million in ransom payments since the rebrand, with the largest single ransom totalling $60 million.

Speaking to ITPro, David Sancho, senior threat researcher at Trend Micro noted that threat groups often undergo rebrands to help obfuscate how their operation works.

“There could be many motives, but usually rebrands are used either as a way of getting around law enforcement and government initiatives or to revamp their affiliate program and attract new affiliates. For the first reason (getting around government/ LEA actions), law enforcement agencies usually have open investigations on some of the most notorious groups,” he explained.

“Changing operations, names and MOs can be confusing to open investigations and could help criminals get off target, even if only temporarily. For the second (revamp affiliate program), if the criminals are having a hard time finding affiliates that spread their ransomware, starting with a clean slate under a new name can help them get an impulse in their affiliate program and try to get rid of a tainted reputation.”