Insights, news, education and announcements from PolySwarm

BlackSuit Ransomware

Written by The Hivemind | Jun 12, 2023 6:55:54 PM

Related Families: Royal

Executive Summary

BlackSuit ransomware targets both Windows and Linux systems and bears a striking resemblance to Royal ransomware.

Key Takeaways

  • BlackSuit is a ransomware family that targets both Windows and Linux systems.
  • BlackSuit is very similar to Royal ransomware.
  • The Linux variants of Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool. 
  • The Windows variants of BlackSuit and Royal ransomware families share a 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff.
  • BlackSuit and Royal use OpenSSL’s AES for encryption and leverage similar intermittent encryption techniques.

What is BlackSuit?

Trend Micro recently reported on BlackSuit ransomware, which bears similarities to Royal ransomware. PolySwarm previously reported on the Windows and Linux variants of Royal. Like Royal, BlackSuit is known to target both Windows and Linux systems.

Linux Variant Similarities

It is interesting to note that the YARA rules for the Linux variant of BlackSuit also match samples of the Royal Linux variant. Trend Micro researchers stated that Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool. While BlackSuit uses command line arguments that function similarly to those used by Royal, the strings used in the arguments are different. Additionally, BlackSuit uses extra arguments not found in Royal ransomware.

Windows Variant Similarities

As for the 32-bit Windows variants of BlackSuit and Royal ransomware families, Trend Micro researchers noted 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff. While BlackSuit and Royal Windows variants use different argument strings, the arguments have similar purposes.

Encryption

BlackSuit and Royal use OpenSSL’s AES for encryption and leverage similar intermittent encryption techniques for fast and efficient encryption of victim files. After encrypting files on a victim machine, BlackSuit appends the .blacksuit extension to encrypted files and drops its ransom note. The ransom note lists the ransomware’s TOR chat site and a unique ID for each affected victim. BlackSuit threat actors use a leaks site and a double extortion model, demanding ransom for unlocking files and not leaking stolen information.

IOCs

PolySwarm has multiple samples of BlackSuit.

 

1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e

b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c

 

You can use the following CLI command to search for all BlackSuit samples in our portal:

$ polyswarm link list -f BlackSuit

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports