BlackSuit Ransomware: How It Works and Who’s Behind It

BlackSuit ransomware group is a relatively new cyberthreat making headlines for its sophisticated attacks and elusive operators.

First spotted in spring 2023, BlackSuit is essentially a rebrand of the infamous Royal ransomware family. Like Royal, it follows a double-extortion playbook, infiltrating networks, stealing sensitive data, then encrypting files and threatening to leak the data if victims don’t pay up.

This strain has already claimed dozens of victims worldwide (over 90 by mid-2024) and demands multi-million dollar ransoms per attack. Below, we break down what BlackSuit is, how it operates, who might be behind it, and what you should do if you find yourself in its crosshairs.

BlackSuit is a ransomware strain that emerged around April–May 2023. It’s best understood as an evolution of Royal ransomware, sharing much of the same code and tactics, but under a new name. The ransomware is run as a private operation, meaning unlike ransomware-as-a-service (RaaS) models, BlackSuit doesn’t publicly recruit affiliates.

Instead, a closed-knit group of cybercriminals manages the entire attack chain. Once BlackSuit infiltrates a victim network, it conducts cyberextortion by exfiltrating data and then encrypting systems, effectively holding both data confidentiality and availability hostage.

BlackSuit’s victims range from large enterprises to mid-sized businesses, across many industries.

• Education
• Government
• Healthcare
• Construction
• Manufacturing
• IT firms

Notably, like many Eastern European ransomware groups, BlackSuit avoids attacking entities in CIS countries (former Soviet states) perhaps giving a clue to the operators’ origins. In all cases, the group shows no mercy in pursuing any organization it deems profitable, often demanding ransom payments between $1 million and $10 million per incident. Victims are typically directed to a dark web portal or chat to negotiate, and if they refuse to pay, BlackSuit’s operators threaten to leak stolen data on a public shaming site.

BlackSuit attacks unfold in several stages. Understanding this lifecycle can help defenders spot and stop the threat early:

1. Initial Infection and Exploitation

Attackers usually gain their initial foothold through tried-and-true methods like phishing or exploiting exposed services. In many cases, a phishing email carrying a malicious attachment or link delivers the BlackSuit ransomware into the environment. The group has also been observed leveraging third-party intrusion frameworks, for example, deploying Cobalt Strike or Metasploit beacons on already compromised networks to execute the ransomware payload.

In some instances, even malicious torrent files have served as the infection vector. Once inside, the ransomware may exploit unpatched vulnerabilities or weak credentials to deepen its hold. The importance of strong passwords and prompt security patch management cannot be overstated, as these basic steps help close common entry points.

2. Lateral Movement and Data Exfiltration

After the initial breach, BlackSuit operators work to escalate privileges and spread across the victim’s network. They often employ living-off-the-land (LotL) techniques and tools (e.g. abusing PowerShell, WMIC, or credential-dumping tools) to avoid detection while moving laterally. Many advanced ransomware groups operate in a style similar to APT (advanced persistent threat) actors, quietly mapping out network shares, Active Directory, and sensitive systems. BlackSuit is no exception: the attackers carefully identify high-value servers and data stores.

Before deploying the file-encryption bomb, they siphon off gigabytes of confidential data (data exfiltration) to remote servers under their control. This stolen data becomes leverage for cyberextortion, as the attackers threaten to publish it on the dark web if the ransom isn’t paid. The dark web cybercrime economy also plays a role at this stage; oftentimes, initial network access or administrator credentials are obtained from underground brokers, and later any stolen data may be monetized through clandestine marketplaces if the victim refuses to pay.

3. Encryption and Ransom Demand

With data in hand, the attackers execute the ransomware encryption across the network. BlackSuit’s payload is built for speed and thoroughness. It uses the OpenSSL library’s implementation of AES encryption (advanced encryption standard) with an intermittent encryption technique to quickly scramble files. The ransomware can spawn multiple threads and even partially encrypt files (encrypting portions of each file) to make encryption faster without leaving any usable data. Within minutes, BlackSuit can encrypt thousands of files on both local and networked drives. It also targets virtual infrastructure – the code includes a -killvm function specifically to shut down VMware ESXi virtual machines and encrypt them, extending the attack to private cloud servers. During this onslaught, BlackSuit tries to disable system recovery by deleting volume shadow copies on Windows, hindering any easy restoration from backups.

After encryption, every affected directory will contain a ransom note named “README.BlackSuit.txt” with instructions. (On Linux/ESXi targets, the note name is lowercase “README.blacksuit.txt”.) Encrypted files are typically appended with a .blacksuit extension, making them unusable. The ransom note demands payment (usually in Bitcoin or Monero) and provides a link or contact to a secret negotiation portal. At this stage, the victim organization faces an urgent crisis: systems are down, and their sensitive data is in enemy hands. The attackers often apply psychological pressure, imposing short deadlines, threatening to double the ransom, or contacting the victim’s partners or media (a tactic of cyberextortion beyond just encryption).

One might ask, who exactly is behind BlackSuit and how do they orchestrate such attacks? Cyberthreat intelligence teams have been studying this group’s underground footprint. Palo Alto Networks’ Unit 42, for example, tracks the BlackSuit actors under the codename“Ignoble Scorpius.”

According to their analysis, since rebranding from Royal to BlackSuit, this crew has hit at least 93 organizations globally. Unlike open RaaS affiliate programs, Ignoble Scorpius appears to be a tighter unit without public affiliates. However, that doesn’t mean they work in isolation – they are part of broader ransomware affiliate networks in an informal sense.

In practice, the BlackSuit operation involves multiple players along a cybercrime supply chain. There are likely:

• Initial access brokers who sell stolen VPN credentials or RDP logins
• Developers of malware tools and exploit kits
• Crypto laundering services and mixers on the dark web

This coordination shows a level of sophistication; BlackSuit’s operators manage logistics much like a business – with divisions for hacking, data handling, negotiations, and money laundering.

Some intelligence suggests possible links to established Eastern European cybercrime circles or even corrupt insiders, but concrete evidence is scarce. What is clear is that BlackSuit is financially motivated and thrives thanks to a thriving dark web economy that provides the needed tools, stolen data markets, and money laundering channels (dark web cybercrime economy).

Insights into BlackSuit’s operation have also come from underground forums and leaked chats. Ransomware crews often need to buy and sell access or services, and they communicate on hidden forums (often on Tor or invite-only boards). In BlackSuit’s case, investigators have observed chatter where hackers:

• Advertise network access to high-value companies
• Sell custom exploits or malware components

In some instances, ransom negotiation leaks have provided a window into BlackSuit’s extortion process. For example, if a victim refuses to pay and communications break down, the threat actors sometimes publish the negotiation chat screenshots on their leak site as a form of shaming. Such leaks (from BlackSuit or similar groups) show the psychological tactics used:

• Outrageous demands
• Room for haggling
• Constant pressure with threats of data leaks or reputational harm

They may threaten to reach out to the victim’s clients or regulators to maximize pressure,  a practice known as triple extortion in the ransomware world. All these dealings show that a ransomware attack is not a lone hacker event, but an organized crime operation with a support infrastructure.

On the technical front, BlackSuit ransomware is highly advanced and deliberately designed to evade ransomware detection. Reverse-engineering the ransomware reveals heavy use of obfuscation and stealth. The binary often comes packed to avoid antivirus scanning, and it can disable security processes it encounters (for instance, killing backup services or even attempting to stop endpoint security agents/EDR solutions).

BlackSuit’s code shows cross-platform capabilities – with payloads for both Windows and Linux environments. Notably, it can target VMware ESXi servers (common in enterprise data centers) by leveraging a special command-line switch to terminate running virtual machines before encrypting their virtual disks. This indicates the attackers specifically aim to cripple infrastructure, including cloud or virtualized servers, not just standard PCs.

The ransomware uses strong cryptography. For file content, it employs AES-256 encryption via OpenSSL, a trusted (and fast) implementation. To make decryption practically impossible without the key, BlackSuit likely encrypts the AES key itself with an RSA public key (a common technique), meaning only the attackers can decrypt the files with their private key. BlackSuit’s use of intermittent encryption (encrypting only parts of large files) is an efficiency tactic that speeds up the process while still corrupting the files irreparably.

During analysis, researchers also noted BlackSuit’s multi-threaded approach and aggressive file system scanning, which together allow it to encrypt data extremely quickly across all connected drives. In one report, the ransomware was observed initiating encryption within seconds of execution and completing its file-locking across a corporate network in just a few minutes.

Ransomware indicators of compromise (IOCs) associated with BlackSuit include:

• The unique file extension “.blacksuit” added to encrypted files
• The ransom note filenames mentioned earlier
• In some cases, the ransomware might also change the desktop wallpaper or leave other fingerprints

These IOCs, along with cryptographic signatures and hacker TTPs (tactics, techniques, and procedures), have been catalogued by cybersecurity teams to aid in detection. So far, no weaknesses in BlackSuit’s encryption scheme are publicly known – meaning victims cannot decrypt files for free and must either restore from backups or consider paying.

The thoroughness of BlackSuit’s code (e.g. its ability to shut down VMs and delete shadow copies) shows a level of preparation that hints at continuous development. Some analysts suspect the ransomware may have undocumented features or dormant “sleeper” functions that could be activated in future versions, potentially to counter new defenses or adopt new cyberextortion techniques.

Looking ahead, we expect BlackSuit to continue evolving. One area of speculation is the incorporation of AI-driven tactics. We may see ransomware operators leveraging AI to:

• Automate target selection (scanning the internet for vulnerable systems faster)
• Craft more convincing phishing lures
• Even dynamically adjust malware behavior to evade detection (e.g., using machine learning to bypass security filters)

On the defensive side, AI is also being deployed to detect anomalies and predict ransomware behavior – a cat-and-mouse game that will only intensify. BlackSuit’s operators have thus far shown adaptability, so it’s conceivable they will experiment with AI-generated phishing emails or AI-assisted network mapping to speed up their attacks.

Another looming development is the impact of quantum computing on ransomware. Currently, BlackSuit relies on standard cryptographic algorithms (AES, RSA) that are considered unbreakable with today’s computers. However, future quantum computers could potentially crack the asymmetric encryption (RSA/ECDH) used in ransomware key exchanges, which might enable law enforcement to decrypt intercepted ransomware traffic or victims to recover files without paying. This scenario is likely still years away, but it could dramatically tilt the balance. Ransomware groups might preemptively switch to quantum-resistant encryption algorithms once those become available, to future-proof their operations.

On the law enforcement front, there is a concerted global effort quietly underway to counter ransomware gangs like BlackSuit. International task forces have been formed to improve information sharing and coordinate takedowns. We’ve seen some success stories:

• Arrests of affiliates
• Seizure of servers
• Sanctions on cryptocurrency addresses

All of these disrupt ransomware supply chains. Agencies such as the FBI and Europol are actively tracking BlackSuit’s activities, and intelligence from private cybersecurity firms is being used to map the group’s infrastructure. While BlackSuit’s core operators remain at large, increased scrutiny means they must continuously adapt or risk capture. Law enforcement is also pushing for better cyberthreat intelligence sharing and for organizations to report incidents promptly, rather than quietly paying ransoms.

The hope is that by cracking down on cryptocurrency laundering and rogue hosting providers (and by making ransomware less lucrative) groups like BlackSuit will eventually be dismantled or deterred. In the near term, however, BlackSuit is expected to remain a threat, possibly splintering into new variants or rebranding again if pressure gets too high.

Facing a BlackSuit ransomware attack is a nightmare scenario, but there are steps you can take to respond effectively and mitigate the damage. Here’s what to do if you find your systems encrypted by BlackSuit:

1. Immediate Response Steps

Isolate and contain the attack as quickly as possible. The moment you discover ransomware on your network, disconnect affected machines from the network (pull the ethernet, disable Wi-Fi) to stop the ransomware from spreading further. Power down critical servers if you can do so safely. Next, contact your internal incident response team if you have one, and engage external cybersecurity experts who specialize in ransomware – time is of the essence.

It’s also useful to notify law enforcement authorities early. In the US, for example, organizations can reach out to their local FBI field office or CISA. Reporting an incident not only helps potentially with investigation, but authorities may provide guidance and coordinate efforts (and it contributes to threat intelligence for stopping the attackers). Avoid the temptation to immediately wipe or restore machines; preserve evidence (like ransom notes, malware files, logs) as this can help investigators and potentially aid in developing a decryption solution in the future.

2. Decryption and Recovery Options

Evaluate your options for restoring data. If you have reliable backups that were not connected to the network during the attack (offline or offsite backups), start the recovery process after cleaning the ransomware from systems. This is the safest route to getting back in business without funding criminals. Unfortunately, BlackSuit specifically tries to eliminate shadow copies and network-accessible backups, so your backups need to be isolated and secure. If backups are unavailable or were also encrypted, you face a difficult choice: consider whether to engage with the attackers.

Cybersecurity experts and authorities generally advise against paying the ransom as there’s no guarantee you’ll get your data back, and it fuels the ransomware economy. However, some victims in bad situations do negotiate payment as a last resort. If you do enter negotiations, it’s wise to use professional ransomware negotiators who understand the process and can try to reduce the amount. Keep in mind paying might also carry legal ramifications if the group is under sanctions. Exhaust all other avenues first: sometimes data can be rebuilt from other sources, or partial decryption tools emerge if flaws in the ransomware are later found (currently none are known for BlackSuit).

3. Legal and Regulatory Considerations

A BlackSuit incident often constitutes a data breach due to the data exfiltration aspect. This means you may have legal obligations to report the breach to regulators and to impacted individuals. For instance, GDPR in Europe and various state laws in the U.S. require notifying users if personal data was compromised. Sector-specific rules apply too e.g. healthcare breaches might trigger HIPAA notifications and financial services have their own guidelines.

It’s important to loop in your legal/compliance team early to handle these notifications properly. Additionally, consider that communications with the attackers (and any ransom payment) might need to be reported to law enforcement; in some jurisdictions, governments are considering or have implemented requirements to disclose ransom payments. Engage law enforcement and provide them with indicators (Bitcoin wallet addresses, ransom notes, malware samples) as this can assist broader efforts to track and dismantle the group.

After the immediate crisis, work on an incident response report and update your cybersecurity posture. Investigate thoroughly how BlackSuit entered your network – was it a phishing email, an unpatched server, stolen credentials? – and address those gaps. Going forward, improve your defenses with measures like:

• Improved email filtering
• Endpoint detection and response (EDR) tools
• Strict access controls (especially for remote access)
• Frequent security training for staff

Regularly update and test your cyber incident response plan to ensure your team is ready for future threats. And of course, maintain offline, encrypted backups as a cornerstone of ransomware mitigation and recovery.

Ransomware like BlackSuit is growing more advanced, so your defense strategy needs to keep up. BlackFog’s AI-powered anti data exfiltration technology automatically blocks threats before they can exfiltrate your data. Using real-time threat detection, endpoint protection, and behavior tracking, BlackFog helps you stay ahead of serious threats like BlackSuit. Want to boost your ransomware protection? Learn more at BlackFog.com.