Royal ransomware successor BlackSuit has demanded more than $500 million

The hackers behind a notorious ransomware operation that shut down the city of Dallas last year have fully rebranded as a new group and have already demanded more than $500 million in ransoms. 

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) updated a previous advisory on the Royal ransomware operation to confirm longstanding reports that the group now calls itself “BlackSuit” and continues to issue exorbitant ransom demands — some of which have reached as high as $60 million. 

The additions to the advisory include troves of new technical information designed to help defenders detect the activity of the group, which operated as Royal ransomware from September 2022 to July 2023 and has called itself BlackSuit since then. 

The group drew law enforcement interest last summer with the attack on Dallas, which damaged the city’s emergency services, courts and government. In November, the FBI and CISA warned that Royal was already transitioning to the “BlackSuit” branding in attacks. Wednesday’s update confirms that all of the actor’s new attacks — including some as recent as July — bear the new name. 

“Ransom demands have typically ranged from approximately $1 million to $10 million, with payment demanded in Bitcoin,” the agencies said. “BlackSuit actors have exhibited a willingness to negotiate payment amounts.”

The agencies linked the hackers behind the two groups based on “numerous coding similarities” but noted that BlackSuit has “exhibited improved capabilities.”

The hackers continue to use phishing emails as their most successful attack vector for initial access before disabling antivirus software, exfiltrating large amounts of data and deploying ransomware. 

The agencies noted there has been a recent uptick in attacks where victims “received telephonic or email communications from BlackSuit actors regarding the compromise and ransom.” 

A recent report from the cybersecurity firm Sophos showed several ransomware gangs are now using this tactic as a new method of pressuring victims to pay ransoms. 

Multiple hospitals and businesses have reported ransomware gangs contacting patients and customers with threats related to data stolen or accessed during attacks. 

Sophos Field CTO Chester Wisniewski told Recorded Future News at the Black Hat cybersecurity conference that years ago ransomware gangs thought media coverage of attacks would promote a sense of fear among victims. But in the last year, groups have shifted toward contacting customers and patients directly as a new pressure tactic.

Wisniewski argued that the tactic has largely not worked, with most companies deciding whether or not to pay ransoms for more practical reasons like business downtime and regulatory concerns. 

Cyber hygiene wakeup

Much of the new technical data on BlackSuit comes from FBI threat response incidents as of July 2024. 

Hackers typically use legitimate tools to move laterally around victim systems, and in at least one case used legitimate accounts to remotely log in to a system. 

They have used access to those accounts to deactivate antivirus software and used remote monitoring and management software to maintain access in victim networks. The advisory includes a sample ransom note seen by some victims.

The report also includes IP addresses that the FBI and CISA believe should be “investigated or vetted by organizations prior to taking action, such as blocking.”

BlackSuit has taken responsibility for several recent attacks on U.S. grade schools and colleges as well as prominent companies and local governments. 

At the Black Hat conference, CISA director Jen Easterly said ransomware attacks specifically are forcing organizations to make cybersecurity a priority.   

“I spend a lot of time with CEOs and boards so I have increasingly seen that there is a greater awareness of the importance of cyber hygiene,” she said. “Because of ransomware attacks, people are waking up to the idea of ‘what do I need to do to protect my family and my community?’”