Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label BlackSuit. Show all posts
Royal Ransomware
Advisory BlackSuit BleepingComputer CISA Cyber Attacks FBI ransomware attacks Ransomware group Royal Ransomware

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

Read more »
Royal Ransomware
BlackSuit Cyber Security cyber theft Ransomware Gang Royal Ransomware

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.
Read more »
Subscribe to: Posts (Atom)