Analysis by cybersecurity firm Trend Micro has revealed that there is a significant similarity between the newly discovered Linux version of the extortion software known as Blacksuit and Royal – another family of extortionists. Researchers have found that there is a 98% similarity between the two programs, suggesting that they share the same code base, functions, and encryption tactics. For instance, both programs use AES Opensl for encryption and have similar intermittent encryption methods to speed up the process. The emergence of the Blacksuit program also suggests that it could be either a new program developed by the same authors or an imitator using a similar code or a branch of the Royal extortion gang that has been modified. This underlines the constant development of the extortion community as new participants come up with innovative ways to modify existing tools.
Blacksuit was discovered in May this year when Palo Alto Networks’ Unit 42 identified the software’s ability to attack both Linux and host computers. Like other ransomware attacks, the operators of both Blacksuit and Royal use a double extortion scheme, where confidential data is first abducted and then encrypted, before demanding a ransom to restore or delete it. The news report suggests that given Royal’s provenance and history, Blacksuit is likely to have originated from a broken branch of the same group.
The development highlights the constantly evolving landscape of the extortion community, with new industry participants emerging and modifying existing tools for maximum effect. This trend is also evident in the case of the Noescape ransomware-as-a-service (RAAS) model. According to researchers at Cyble, Noescape attackers use triple extortion methods – combining classical exploitation and encryption of data with DDOS attacks – to compel victims to pay a ransom. Triple extortion attacks completely destroy the victim’s ability to conduct business, forcing them to give in to the attackers’ demands.