Related Families: Royal
BlackSuit ransomware targets both Windows and Linux systems and bears a striking resemblance to Royal ransomware.
- BlackSuit is a ransomware family that targets both Windows and Linux systems.
- BlackSuit is very similar to Royal ransomware.
- The Linux variants of Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool.
- The Windows variants of BlackSuit and Royal ransomware families share a 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff.
- BlackSuit and Royal use OpenSSL’s AES for encryption and leverage similar intermittent encryption techniques.
What is BlackSuit?
Trend Micro recently reported on BlackSuit ransomware, which bears similarities to Royal ransomware. PolySwarm previously reported on the Windows and Linux variants of Royal. Like Royal, BlackSuit is known to target both Windows and Linux systems.
Linux Variant Similarities
It is interesting to note that the YARA rules for the Linux variant of BlackSuit also match samples of the Royal Linux variant. Trend Micro researchers stated that Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool. While BlackSuit uses command line arguments that function similarly to those used by Royal, the strings used in the arguments are different. Additionally, BlackSuit uses extra arguments not found in Royal ransomware.
Windows Variant Similarities
As for the 32-bit Windows variants of BlackSuit and Royal ransomware families, Trend Micro researchers noted 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff. While BlackSuit and Royal Windows variants use different argument strings, the arguments have similar purposes.
BlackSuit and Royal use OpenSSL’s AES for encryption and leverage similar intermittent encryption techniques for fast and efficient encryption of victim files. After encrypting files on a victim machine, BlackSuit appends the .blacksuit extension to encrypted files and drops its ransom note. The ransom note lists the ransomware’s TOR chat site and a unique ID for each affected victim. BlackSuit threat actors use a leaks site and a double extortion model, demanding ransom for unlocking files and not leaking stolen information.
PolySwarm has multiple samples of BlackSuit.
You can use the following CLI command to search for all BlackSuit samples in our portal:
$ polyswarm link list -f BlackSuit