HC3 TLP Clear Analyst Note Blacksuit Ransomeware November 6, 2023

Executive Summary

A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector. Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today. Both Royal and the now defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly. What follows is an overview of the potential new group, possible connections to other threat actors, an analysis of its ransomware attacks, its target industries and victim countries, impact to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defense and mitigations against the group.

Overview

BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a compromised network. So far, the specific use of BlackSuit ransomware has been observed in a small number of attacks. The most recent suspected attack, in October 2023, was against a U.S.-based HPH organization whose servers and systems were encrypted with malware, tentatively identified as BlackSuit. One cybersecurity company also documented at least three attacks involving the BlackSuit encryptor, with ransoms below $1 million. Another company annotated at least five attacks in the manufacturing, business technology, business retail, and government sectors spanning the United States, Canada, Brazil, and the United Kingdom. With only a small number of victims, the ransomware gang is considered more infamous for their purported connections to the more profilic Royal ransomware family. If their connection is confirmed, it would augment BlackSuit as a threat actor to be closely watched in the near future.