BlackSuit

Background

BlackSuit is a ransomware operation that emerged in May 2023 as the successor and evolutionary continuation of the Royal ransomware group, which itself was a splinter of the former Conti operation. The transition from Royal to BlackSuit was confirmed by the FBI and CISA in a May 2024 joint advisory, which assessed that BlackSuit actors are the same group previously operating Royal, with updated encryptor code and infrastructure.

The group has accumulated over $500 million in ransom demands since 2022 (spanning both Royal and BlackSuit periods), with individual demands reaching as high as $60 million. BlackSuit operates a full double-extortion model, exfiltrating data before encryption and threatening public release on their Tor-hosted leak site. The group selects targets across virtually all critical infrastructure sectors, with particular frequency in healthcare, education, manufacturing, and government.

Unlike many ransomware operations that deploy a single locker variant, BlackSuit maintains both Windows and Linux (VMware ESXi) encryptors, enabling attacks on virtualized infrastructure. The group is not a ransomware-as-a-service (RaaS) operation and does not publicly recruit affiliates, operating instead as a closed threat actor group.

Notable Campaigns

CDK Global Attack (June 2024): BlackSuit compromised CDK Global, a software provider serving approximately 15,000 automotive dealerships across North America. The attack forced CDK to shut down its dealer management system (DMS) for nearly two weeks, halting vehicle sales and service operations at dealerships nationwide. CDK reportedly paid a $25 million ransom to restore operations. This attack demonstrated BlackSuit's willingness and capability to target critical supply-chain software providers.

Henry Schein (Late 2023): The group compromised dental and medical supply company Henry Schein multiple times in a single incident lifecycle, reportedly re-encrypting systems after the company restored from backups without paying. The repeated attack highlighted the group's aggressive operational posture and their monitoring of victim recovery activities.

U.S. Hospital Campaign (2023-2024): BlackSuit targeted multiple hospital systems, leveraging both legacy Royal infrastructure and new BlackSuit tooling. The campaigns disrupted patient care scheduling, electronic health record access, and pharmacy operations at regional health systems.

Kansas City Area Transportation Authority (2024): The group compromised the regional transportation authority, exfiltrating employee data, financial records, and operational information, demonstrating interest in public-sector targets beyond traditional healthcare and education.

Tactics, Techniques & Procedures

BlackSuit operators gain initial access primarily through phishing campaigns (T1566.001) and exploitation of internet-facing vulnerabilities (T1190) in VPN appliances, RDP gateways, and web applications. The group also purchases access from initial access brokers active in their target sectors and abuses valid credentials (T1078) harvested through phishing or prior data breaches.

Post-access operations follow a structured playbook inherited from Royal: disable security software and monitoring using PCHunter and similar tools, harvest credentials with Mimikatz, perform network reconnaissance, move laterally via RDP and pass-the-hash (T1550.002), identify and exfiltrate high-value data, then destroy backups and deploy the encryptor. The group typically spends 2-4 weeks in victim environments before triggering encryption.

Data is exfiltrated to cloud storage services using RClone and MEGAsync before encryption. The BlackSuit encryptor targets both Windows file systems and VMware ESXi hypervisors, maximizing encryption impact across virtualized environments.

Tools & Malware

• BlackSuit Encryptor: Custom ransomware payload with Windows (x64) and Linux/ESXi variants. Derived from the Royal codebase with structural modifications to evade signature detection.
• Cobalt Strike: Primary post-exploitation framework for lateral movement, credential access, and command and control.
• SystemBC: SOCKS5 proxy malware used as a persistent backdoor and to anonymize C2 traffic.
• Mimikatz: Credential extraction tool targeting LSASS memory for password and hash harvesting.
• PCHunter: Kernel-level process and driver inspection tool used to disable endpoint security software.
• RClone / MEGAsync: Cloud sync tools used for bulk data exfiltration to attacker-controlled cloud storage prior to encryption.

Indicators & Detection

Detection should focus on behaviors consistent with the Royal/BlackSuit operational playbook. Monitor for PCHunter and similar anti-rootkit tool execution, which the group uses specifically to enumerate and terminate security software processes. Alert on Cobalt Strike beacon patterns and SystemBC's characteristic proxy traffic on non-standard ports.

Pre-encryption indicators include bulk file enumeration (T1083), VSS deletion (vssadmin delete shadows), and large outbound transfers to cloud services including MEGA. Monitor for RClone configuration files in temporary user directories, as these are left behind during data staging.

For VMware environments, monitor ESXi host logs for unauthorized logins and the creation or modification of VM configuration files. Implement network segmentation between ESXi management interfaces and general corporate networks. Require MFA for all remote access including VPN, RDP gateways, and hypervisor management consoles to impede the group's credential-based access methods.