A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant.
In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises.
Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises.
Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity.
This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas.
Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities.
In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated.
However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets.
While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged.
The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro.
The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities.
The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics.
These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques.
Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.
