An analysis of the Linux variant of a new ransomware strain called BlackSuit has uncovered significant similarities with another ransomware family called Royal.
Trend Micro, which examined an x64 version of VMware ESXi targeting Linux machines, said it identified an “extremely high degree of similarity” between Royal and BlackSuit.
“In fact, they are almost identical, with 98% similarity in features, 99.5% similarity in blocks, and 98.9% similarity in jumps based on BinDiff, a comparison tool for binary files,” Trend Micro researchers noted.
A comparison of the Windows artifacts identified 93.2% similarity in features, 99.3% in basic blocks, and 98.4% in BinDiff-based jumps.
black dress first came to light in early May 2023, when Palo Alto Networks’ Unit 42 drew attention to its ability to target both Windows and Linux hosts.
In line with other ransomware groups, it runs a dual extortion scheme that steals and encrypts sensitive data on a compromised network in exchange for monetary compensation. Data associated with a single victim has been listed on his Dark Web Leaks site.
Trend Micro’s latest findings show that both BlackSuit and Royal use OpenSSL’s AES for encryption and use similar intermittent encryption techniques to speed up the encryption process.
Overlaps aside, BlackSuit incorporates additional command-line arguments and avoids a different list of files with specific extensions during enumeration and encryption.
“The appearance of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the authors themselves, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.” Trend Micro said.
Since Royal is an offshoot of Conti’s former team, it’s also possible that “BlackSuit grew out of a splinter group within the original Royal ransomware gang,” the cybersecurity company theorized.
The development again underscores the constant state of flux in the ransomware ecosystem, even as new threat actors emerge to modify existing tools and generate illicit profits.
🔐 Master API Security: Understand your true attack surface
Discover unexploited vulnerabilities in your API ecosystem and take proactive steps toward absolute security. Join our in-depth webinar!
Join the session
This includes a new ransomware-as-a-service (RaaS) initiative called NoEscape that Cyble says allows its operators and affiliates to leverage triple-extortion methods to maximize the impact of a successful attack.
Triple extortion refers to a three-pronged approach in which data exfiltration and encryption are coupled with distributed denial-of-service (DDoS) attacks against targets in an attempt to disrupt their business and force them to pay the ransom.
The DDoS service, by Cyble, is available for an additional fee of $500,000, with operators imposing conditions that prohibit affiliates from striking entities located in Commonwealth of Independent States (CIS) countries.
Ikaroa is keeping an eye on the latest cybersecurity threats, as a full-stack tech company that understands the importance of staying up to date on the latest threats to our customer’s data. Recently, cyber researchers have identified a new type of ransomware called BlackSuit, which is sharing similarities with an existing strain of malware called Royal.
The BlackSuit ransomware encrypts files on a victim’s computer using strong military-grade encryption that is nearly impossible to crack, only allowing a decryption key to decrypt the victim’s files. The new strain is even more sinister than the original, as it includes a double extortion attack – where the hacker demands two payments to unlock a victim’s system.
By comparison, Royal ransomware is a type of malware that also uses encryption techniques, but does not require a double payment. It was first found in 2019 and has been active since then.
The key takeaway from this development is that ransomware threats are constantly evolving, and cybercriminals are using new tactics to maximise their profits. Ikaroa works with its customers to help protect their data by providing the latest in security solutions. Educating users is another key component in combating ransomware, as well as training employees to recognize signs of potential attacks.
It is essential for customers to be vigilant against potential ransomware attacks. Ikaroa provides comprehensive cybersecurity solutions, from assessment to remediation, and continues to monitor for new ransomware and other malicious threats. Our team of cybersecurity experts can assist customers in developing an effective security strategy and respond quickly in the event of an attack.