The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation’s usual encryptor.
Royal launched in January 2023, believed to be the direct successor to the notorious Conti operation, which shut down in June 2022.
This group is a private ransomware operation comprised of pentesters, affiliates from ‘Conti Team 1,’ and affiliates they recruited from other enterprise-targeting ransomware gangs.
Since its launch, Royal Ransomware has become one of the most active operations, responsible for numerous attacks on the enterprise.
Royal begins testing BlackSuit
Since late April, there have been rumbles that the Royal ransomware operation was getting ready to rebrand under a new name. This escalated further after they began to feel pressure from law enforcement after they attacked the City of Dallas, Texas.
A new BlackSuit ransomware operation was discovered in May that used its own branded encryptor and Tor negotiation sites. It was believed that this was the ransomware operation that the Royal ransomware group would rebrand into.
However, a rebrand never occurred, and Royal is still actively attacking the enterprise while using BlackSuit in limited attacks.
“Royal: The direct heir of Conti, comprising over 60 pentesters either from Conti’s “Old Guard” or recruited from various elite ransomware groups. Operating in small teams of 4-5 individuals, they remain loyal to their leaders: the Admin and Chief Engineer,” Yelisey Bohuslavskiy, Partner and Head of R&D at RedSense, posted on LinkedIn.
“The group employs Royal and BlackSuit lockers, with Emotet and IcedID as precursors. They prioritize alternatives to CobaltStrike, particularly Sliver, and develop custom precursor loaders.”
Bohuslavskiy further told BleepingComputer its possible that Royal is simply testing a new encryptor, as they have been with other tools used by the group, including a new loader, IcedID, and a revitalizing of Emotet.
“They keep improving Emoted to try to revitalize it, and are working on IcedID a lot. Their experiments with new lockers are natural in this sense.” explained Bohuslavskiy.
“I believe we may see more things like blacksuit soon. But so far, it seems that both the new loader and the new Blacksuit locker were a failed experiment.”
As BlackSuit is a self-contained operation, it’s possible Royal is planning on launching a subgroup focused on certain types of victims, or it’s being saved for a rebrand later.
However, a rebrand would no longer make sense, as a recent report by Trend Micro has shown clear similarities between the BlackSuit and Royal Ransomware encryptors, making it hard to convince anyone that they are a new ransomware operation.
These similarities include command line arguments, code similarities, file exclusions, and similar intermittent encryption techniques.
While it’s unclear how BlackSuit will be used, the ransomware is actively being used in a small number of attacks.
BleepingComputer is aware of at least three attacks where the BlackSuit encryptor was used, with ransoms, so far, under $1 million.
Currently, the operation has one victim listed on their data leak site, but that could quickly change if the new encryptor was more heavily used.
At this time, we will have to wait and see if BlackSuit is, in fact, a failed experiment or the beginning of a new subgroup like Conti had with Diavol.
Whatever it turns out to be, network defenders should know that this new operation is backed by Royal, who have proved to have expertise in breaching networks or deploying their encryptors.