The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that the infamous Royal ransomware has rebranded to BlackSuit, amassing over $500 million in ransom demands since its inception more than two years ago.

This announcement came as part of an update to a joint advisory initially released in March 2023, which identified the BlackSuit group’s activities starting in September 2022.

Originating as Quantum ransomware in January 2022, the group is believed to be a direct successor to the notorious Conti cybercrime syndicate. Initially, they utilized encryptors from other ransomware groups, such as ALPHV/BlackCat, to avoid detection. However, they soon developed their own Zeon encryptor and rebranded to Royal ransomware in September 2022.

Following a significant attack on the City of Dallas, Texas, in June 2023, rumors of a rebranding surfaced. The Royal ransomware operation then began testing a new encryptor called BlackSuit. Since then, the group has operated exclusively under the BlackSuit name, ceasing Royal ransomware attacks entirely.

Buy Me A Coffee

The FBI and CISA confirmed in their latest advisory update that “BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities.”

Ransom demands from the BlackSuit group have ranged between $1 million and $10 million, with payments requested in Bitcoin. Collectively, the group has demanded over $500 million in total ransom, with the highest individual demand being $60 million.

READ
MoneyGram Confirms Data Breach Exposing Sensitive Customer Information in September Cyberattack

The FBI and CISA have linked BlackSuit to attacks on over 350 organizations since September 2022, resulting in at least $275 million in ransom demands. Notably, these attacks have included multiple incidents targeting healthcare organizations across the United States, as revealed by the Department of Health and Human Services (HHS) in December 2022.

In a recent high-profile incident, BlackSuit ransomware was identified as the cause of a massive IT outage at CDK Global, affecting over 15,000 car dealerships across North America. The outage forced CDK to shut down its IT systems and data centers to contain the breach, leaving car dealerships unable to process purchases or provide services.

To combat these threats, the FBI and CISA continue to issue guidance and recommendations for organizations to bolster their defenses against BlackSuit ransomware attacks.