Royal Ransomware Rebrands as BlackSuit – Warn FBI and CISA

The cybersecurity landscape is continuously evolving, with threat actors often changing tactics and branding to evade detection and expand their operations. A recent development in this arena involves the Royal ransomware gang. According to a joint advisory from the CISA and the FBI, this group has rebranded itself to BlackSuit.

Diving into details

The rebranding of cybercriminal groups indicates a broader trend in the cybercriminal world, where groups continuously evolve to avoid detection and countermeasures by law enforcement and cybersecurity experts.

  • Experts say the rebranding to BlackSuit marks a strategic shift in their operations. This change is not just in name but also reflects in their modus operandi, which includes advanced encryption methods and sophisticated attack vectors. 
  • The group’s primary method involves exploiting vulnerabilities in public-facing applications and remote desktop protocols. 
  • Once they gain access, they deploy ransomware to encrypt files and demand a ransom for decryption.

Where it started

According to the joint advisory, this transition was first noticed in November 2022. 

  • In June 2023, Royal ransomware added the BlackSuit encryptor to its tools. This gave rise to suspicions of its preparing for the rebrand. 
  • Comparisons of the source code showed a high level of similarity between BlackSuit and Royal.
  • While Royal has been launching attacks since June, BlackSuit has only been used recently against a few companies. 

The bottom line

The transformation of the Royal ransomware into BlackSuit is a significant development in the cybersecurity world. It highlights the ever-changing tactics of cybercriminals and the need for constant vigilance. To mitigate such threats, organizations must regularly update their security protocols, conduct frequent vulnerability assessments, and invest in employee training to recognize potential cyber threats.