The notorious Royal hacker group has undergone a rebranding and now goes by the name Blacksuit. Since their rebranding, Blacksuit has already demanded over $500 million in ransom, with the largest individual ransom demand reaching $60 million. The FBI and Cisa have recently updated their warning regarding the group, formerly known as Royal, now operating as Blacksuit. The attackers originally went by Royal from September 2022 to July 2023 before changing their name to Blacksuit.
An analysis of the hacker code has revealed striking similarities between the operations of Royal and Blacksuit, establishing a connection between the two entities. However, Blacksuit has shown significant advancements in their capabilities compared to their previous iteration as Royal. The primary method of initial access for these hackers remains phishing emails, followed by disabling antivirus software, exfiltrating large amounts of data, and deploying ransomware programs.
In recent instances, victims have reported receiving threatening calls or emails from Blacksuit extortionists demanding ransom. According to data from Sophos, some ransomware groups, including Blacksuit, use these threats to pressure victims and their customers by threatening to release sensitive data. Despite these tactics, companies tend to base their decisions on ransom payment more on practical concerns like business downtime and regulatory obligations.
A recent technical report from the FBI has revealed that hackers employed legitimate tools to move within victim systems, often utilizing real user accounts for remote entry. Cybercriminals have also been known to disable antivirus software and use remote monitoring and management software to maintain access to their target networks.
Blacksuit has claimed responsibility for several high-profile attacks, including breaches at a major Japanese media conglomerate, Kadokawa, and the medical company Octapharma Plasma. Notably, Blacksuit also executed a cyberattack on the systems of the city of Dallas, impacting services provided by the police, firefighters, and courts. This has resulted in manual record keeping for law enforcement and communication issues for the fire department.
In June, the tech company CDK Global fell victim to a ransomware attack by Blacksuit, causing a two-week disruption in the company’s server operations. As a result of the attack, approximately 15,000 car dealers across the United States, such as Asbury, Autonation, Lithia, and Sonic, were affected by the halt in services and vehicle registrations. CDK Global ultimately paid $25 million in bitcoins to the extortionists to regain control of their systems and restore operations.