Threat Research

Emulating the Elegant BlackSuit Ransomware

AttackIQ
Emulating the Elegant BlackSuit Ransomware

BlackSuit is an evolution of the Royal ransomware family active since at least May 2023, using phishing for initial access, extensive data exfiltration, a double-extortion model, and a configurable partial-encryption approach to speed encryption and reduce detection. AttackIQ released an emulation based on CISA and DFIR reporting to help organizations validate defenses against BlackSuit behaviors. #BlackSuit #Royal

Keypoints

  • BlackSuit is a direct evolution of the Royal ransomware family, active since at least May 2023 and sharing significant code-level similarities with Royal.
  • Phishing remains a primary initial access vector, followed by persistence, disabling security tooling, broad data exfiltration, and subsequent encryption under a double-extortion model.
  • Operators perform data theft prior to encryption and threaten publication via a Dedicated Leak Site (DLS), negotiating ransoms on a Tor-hosted (.onion) portal with demands typically between $1M–$10M and cumulative demands exceeding $500M.
  • BlackSuit uses a partial encryption strategy that selectively encrypts a configurable percentage of each file (lower percentages for larger files) to speed encryption and reduce behavioral indicators.
  • Encryption routines use AES-256 in CTR mode for files and RSA-4096 for key encryption, and operators delete Volume Shadow Copies (vssadmin.exe) and enumerate drives and files prior to encryption.
  • AttackIQ released a behavioral emulation (based on CISA and DFIR reports) for their AEV platform to validate detection, prevention, and incident response against BlackSuit TTPs.

MITRE Techniques

  • [T1105 ] Ingress Tool Transfer – Delivery of the BlackSuit sample to disk to test controls (‘BlackSuit Ransomware Sample (SHA256: 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c) is saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’)
  • [T1497 ] Debugger Detection – Malware checks for attached debuggers using native API calls (‘execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.’)
  • [T1082 ] System Information Discovery – Retrieves system information to profile the host (‘executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.’)
  • [T1057 ] Process Discovery – Enumerates running processes via Windows APIs to discover active processes (‘uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.’)
  • [T1614 ] Enumerate System Locales / Locale Discovery – Infers geographic/regional context by enumerating and querying system locales (‘executes the EnumSystemLocalesW Windows API to enumerate the locales installed on or supported by the operating system.’ / ‘executes the GetLocaleInfoW Windows API to retrieve the user’s default country locale code from the system.’ / ‘executes the GetUserDefaultLCID Windows API to retrieve the user default locale ID from the system.’)
  • [T1490 ] Inhibit System Recovery – Removes Volume Shadow Copies to prevent recovery (‘deletion of existing Volume Shadow Copies through vssadmin.exe.’)
  • [T1680 ] Logical Drive Discovery – Enumerates logical drives to identify targets for encryption (‘executes the GetLogicalDriveStringsW Windows API to retrieve information regarding the system’s physical drives.’)
  • [T1083 ] File and Directory Discovery – Traverses file system and enumerates files for encryption (‘performs filesystem traversal and file enumeration using FindFirstFileW and FindNextFileW.’)
  • [T1486 ] Data Encrypted for Impact (Ransomware) – Performs in-place file encryption using AES-256 CTR for files and RSA-4096 for key protection (‘encrypts the identified files using a combination of AES-256 in CTR mode for file encryption and RSA-4096 for key encryption.’)

Indicators of Compromise

  • [File Hash ] BlackSuit sample used in emulation and detection testing – SHA256: 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
  • [File Name ] Utilities and samples observed or referenced in attack/playbook – vssadmin.exe (used to delete Volume Shadow Copies), BlackSuit Ransomware Sample (saved to disk for testing)
  • [Domain / URL ] Extortion and negotiation infrastructure – Tor-hosted (.onion) portal for victim negotiation and a Dedicated Leak Site (DLS) (no public .onion address or DLS URL provided)

Read more: https://www.attackiq.com/2026/01/20/emulating-blacksuit-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint