From Royal to BlackSuit: How a Ransomware Rebrand Reshaped Them
Jan. 27, 2025, 2:28 p.m.
Description
This intelligence report analyzes the evolution of the Russian-speaking ransomware group Royal as it rebranded to BlackSuit. The transition involved a shift from prioritizing data exfiltration to focusing more on encryption. The group's journey from 2022 to 2025 is detailed, including their tactics, tools, and internal struggles. BlackSuit's toolkit is extensively examined, featuring both proprietary malware and commercial tools. The report highlights the group's sophisticated approach, including the development of custom Command and Control frameworks and the use of advanced stealers. The rebranding process revealed critical characteristics of the group and shaped their future campaigns.
Tags
Date
- Created: Jan. 27, 2025, 2:18 p.m.
- Published: Jan. 27, 2025, 2:18 p.m.
- Modified: Jan. 27, 2025, 2:28 p.m.
Indicators
- ab893e68e5c5555df464d483bc92f0c1a37c9d411015b91646fc2dbca578ab4f
- de9b3c01991e357a349083f0db6af3e782f15e981e2bf0a16ba618252585923a
- 88.119.175.124
- 79.132.129.137
- 85.239.54.214
- 79.141.162.131
- jekkymacros@xmpp.jp
- germanbuss@proton.me
Attack Patterns
- Dagon
- Conti - S0575
- Geodo
- Emotet - S0367
- Royal - S1073
- TSPY_TRICKLOAD
- Ryuk - S0446
- Totbrick
- TrickBot - S0266
- QuackBot
- Pinkslipbot
- QakBot - S0650
- BlackCat - S1068
- Noberus
- BlackSuit
- Akira
- ALPHV
- Quantum
- AresLoader
- HIVE
- Lumma
- QBot
- LockBit
- Anubis
- Cobalt Strike - S0154
- BlackSuit
- T1135
- T1497
- T1087
- T1005
- T1021
- T1486
- T1016
- T1071
- T1055
- T1210
- T1046
- T1134
- T1204
- T1027
- T1566
- T1190
- T1078
- T1003
- T1059
Additional Informations
- Technology
- Government
- United States of America