CISA and FBI Give Advisory on BlackSuit Ransomware Gang

On August 7, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an updated advisory confirming the etymological lineage of the ransomware gang BlackSuit. The group was formed in 2022 and has since demanded over $500 million from victims. This is largely a concern for cybersecurity sleuths, but in-house lawyers might want to know who they’re dealing with when considering whether to advise paying ransom.

As reported in BleepingComputer, the BlackSuit gang is believed to be a direct successor of the Conti cybercrime syndicate and started as Quantum ransomware in January 2022.

According to CISA and the FBI, BlackSuit has attacked more than 350 organizations since September 2022 and demanded a minimum of $275 million in ransom. Healthcare organizations are its target of choice, but it was behind the recent CDK Global IT outage that disrupted operations at over 15,000 car dealerships across North America.

Initially, they used encryptors associated with other gangs to stay under the radar. In September 2022, they redeployed and re-branded to Royal.

A BleepingComputer article from that time notes that Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. According to the article, Royal differs from other ransomware operations because it doesn’t operate as ransomware-as-a-service. It is a private group without affiliates.

Although it rebranded as BlackSuit in 2023, its ransomware is traceable to Royal. According to the CISA/FBI update, it continues to evolve and exhibit improved capability.

Its “ransom demands have typically ranged from approximately $1 million to $10 million, with payment demanded in Bitcoin. BlackSuit actors have demanded $500 million, and the largest individual ransom demand was $60 million.”

In March and November 2023 updates, the agencies shared compromise indicators, tactics, techniques, and procedures designed to help block BlackSuit attempts to deploy ransomware on corporate and other networks.