From Royal to BlackSuit: How a Ransomware Rebrand Reshaped Them

Jan. 27, 2025, 2:28 p.m.

Description

This intelligence report analyzes the evolution of the Russian-speaking ransomware group Royal as it rebranded to BlackSuit. The transition involved a shift from prioritizing data exfiltration to focusing more on encryption. The group's journey from 2022 to 2025 is detailed, including their tactics, tools, and internal struggles. BlackSuit's toolkit is extensively examined, featuring both proprietary malware and commercial tools. The report highlights the group's sophisticated approach, including the development of custom Command and Control frameworks and the use of advanced stealers. The rebranding process revealed critical characteristics of the group and shaped their future campaigns.

Date

  • Created: Jan. 27, 2025, 2:18 p.m.
  • Published: Jan. 27, 2025, 2:18 p.m.
  • Modified: Jan. 27, 2025, 2:28 p.m.

Indicators

  • ab893e68e5c5555df464d483bc92f0c1a37c9d411015b91646fc2dbca578ab4f
  • de9b3c01991e357a349083f0db6af3e782f15e981e2bf0a16ba618252585923a
  • 88.119.175.124
  • 79.132.129.137
  • 85.239.54.214
  • 79.141.162.131
  • jekkymacros@xmpp.jp
  • germanbuss@proton.me

Attack Patterns

  • Dagon
  • Conti - S0575
  • Geodo
  • Emotet - S0367
  • Royal - S1073
  • TSPY_TRICKLOAD
  • Ryuk - S0446
  • Totbrick
  • TrickBot - S0266
  • QuackBot
  • Pinkslipbot
  • QakBot - S0650
  • BlackCat - S1068
  • Noberus
  • BlackSuit
  • Akira
  • ALPHV
  • Quantum
  • AresLoader
  • HIVE
  • Lumma
  • QBot
  • LockBit
  • Anubis
  • Cobalt Strike - S0154
  • BlackSuit
  • T1135
  • T1497
  • T1087
  • T1005
  • T1021
  • T1486
  • T1016
  • T1071
  • T1055
  • T1210
  • T1046
  • T1134
  • T1204
  • T1027
  • T1566
  • T1190
  • T1078
  • T1003
  • T1059

Additional Informations

  • Technology
  • Government
  • United States of America