Researchers have discovered a new ransomware family called BlackSuit, targeting both Windows and Linux users. It shares the similarities with the notorious Royal ransomware, which suggests it may be a new affiliate or reuse of Royal’s source code.
Researchers share the findings after analyzing a Windows 32-bit version and an ESXi 64-bit version of BlackSuit, and it appends the file extension .blacksuit to encrypted files and leaves a ransom note that includes information about the attack, a unique ID for the victim, and a TOR chat site link for communication.
The malware operators use a data leak site to post leaked data in case a victim does not pay the ransom. Although, as of now, this leak site shows just a single victim.
BlackSuit’s YARA rule matches the samples of the Royal ransomware. Further digging revealed that the two malware have many similarities.
BlackSuit supports the use of several command-line arguments, which are similar to those used by Royal with additional commands thats unique. Both malware use comparative intermittent encryption techniques, including OpenSSL’s AES encryption algorithm and similar formulas and numbers when comparing file size.
The source code used in the 64-bit samples of the two malware, there is a 98% similarity in used functions, 98.9% in BinDiff-based jump statements, and 99.5% in blocks. The code used in 32-bit samples exhibits 99.3% resemblance in basic blocks, 93.2% in used functions, and 98.4% in jumps based on BinDiff.
Although BlackSuit has not publicly called out its connection with the Royal ransomware, researchers suspect this to be either a new variant developed by the same malware authors or a copycat group using Royal’s code with its own branding.
This research was documented by researchers from Trend Micro
Indicators of Compromise