BlackSuit ransomware shows striking similarities to Royal ransomware across Linux and Windows variants, including ESXi targets, ransom notes with TOR links, and nearly identical encryption behavior. The analysis also highlights shared and unique command-line arguments, a data-leak site, and multi-layered defenses recommended to mitigate such threats. #BlackSuit #RoyalRansomware
Keypoints
- BlackSuit aligns closely with Royal ransomware, with 98% similarity in functions, 99.5% in blocks, and 98.9% in jumps (BinDiff).
- BlackSuit targets both Windows and Linux (including a x64 ESXi Linux variant) and uses a two-pronged extortion strategy including a data leak site.
- Linux variant comparisons show BlackSuit and Royal share many command-line arguments, with BlackSuit introducing new args (e.g., -name) and differences in usage.
- Encryption uses OpenSSL AES with intermittent encryption, file-size rounding, and a 41-byte header, with an appended .blacksuit extension for encrypted files.
- BlackSuit and Royal skip specific file extensions and filenames to avoid encrypting critical or system files, and they can encrypt network shares when instructed.
- Windows variant shows high similarity to Royal Win32, while introducing new arguments such as -delete and -list, plus a self-deleting mechanism in some cases.
MITRE Techniques
- [T1059] Command-Line Interface – The analysis found that BlackSuit accepts command-line arguments to govern its behavior, showing usage of various switches. Quote: “Our analysis found that BlackSuit accepts the following command-line arguments: …”
- [T1486] Data Encrypted for Impact – The binaries use OpenSSL’s AES for encryption and employ intermittent encryption to accelerate encryption of files. Quote: “The binaries for both BlackSuit and Royal use OpenSSL’s AES for encryption and employ similar intermittent encryption techniques to accelerate the encryption of the victim’s files.”
- [T1547.001] Modify Boot or Logon Initialization Data – The -disablesafeboot argument removes safeboot from BCD and triggers a restart. Quote: “If -disablesafeboot is passed as an argument, it removes the ‘safeboot’ value from the current boot entry in the Boot Configuration Data (BCD) and performs an immediate system restart…”
- [T1490] Inhibit System Recovery – The ransomware deletes shadow copies to hinder recovery. Quote: “”%System%bcdedit.exe” /deletevalue {current} safeboot
shutdown.exe /r /t 0″ - [T1041] Exfiltration Over C2 Channel – The operators set up a data leak site as part of extortion. Quote: “data leak site as part of their two-pronged extortion strategy to coerce victims into paying the ransom demand”
- [T1021.002] Remote Services: SMB/Windows Admin Shares – The Linux/Windows variants encrypt network shares when instructed (e.g., -network) and check local IP ranges to avoid encrypting non-local systems. Quote: “When encrypting network shares using the -network argument, BlackSuit will check if the IP address begins with the following numbers to ensure that it is encrypting local systems:”
Indicators of Compromise
- [SHA256] – Example hashes and context – 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c, 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e, and 3 more hashes (as listed in the IOCs table)
- [Detection name] – Example detections associated with BLACKSUIT and ROYAL variants – Ransom.Win32.BLACKSUIT.THEODBC, Ransom.Linux.BLACKSUIT.THEODBC, Ransom.Win32.ROYAL.AA, Ransom.Win32.ROYAL.SMYECJYT, Ransom.Linux.ROYAL.THBOBBC