CISA and the FBI confirmed today that the Royal ransomware rebranded to BlackSuit and has demanded over $500 million from victims since it emerged more than two years ago.
This new information was shared as an update to a joint advisory published in March 2023, which says the BlackSuit gang has been active since September 2022.
However, this private group is believed to be a direct successor of the notorious Conti cybercrime syndicate and started as Quantum ransomware in January 2022.
While they initially used other gangs’ encryptors (like ALPHV/BlackCat), likely to avoid drawing unwanted attention, they deployed their own Zeon encryptor soon after and rebranded to Royal in September 2022.
After attacking the City of Dallas, Texas, in June 2023, the Royal ransomware operation began testing a new encryptor called BlackSuit amid rebranding rumors. Since then, they have been operating under the BlackSuit name, and Royal Ransomware attacks have stopped altogether.
“BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities,” the FBI and CISA confirmed in a Wednesday update to their original advisory.
“Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million.”
In March 2023 and a subsequent November 2023 advisory update, the two agencies shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders block the gang’s attempts to deploy ransomware on their networks.
CISA and the FBI also linked the BlackSuit gang to attacks against over 350 organizations since September 2022 and at least $275 million in ransom demands.
The joint advisory was first issued after the Department of Health and Human Services (HHS) security team revealed in December 2022 that the ransomware operation was behind multiple attacks targeting healthcare organizations across the United States.
Most recently, multiple sources told BleepingComputer that the BlackSuit ransomware gang was behind a massive CDK Global IT outage that disrupted operations at over 15,000 car dealerships across North America.
This widespread outage after last month’s attack forced CDK to shut down its IT systems and data centers to contain the incident and car dealerships to switch to pen and paper, making it impossible for buyers to purchase cars or receive service for already-bought vehicles.