An analysis of a Linux variant of a new ransomware strain called BlackSuit reveals important similarities to another ransomware family called Royal.
Trend Micro, which investigated x64 VMware ESXi versions targeted for Linux machines, said it found “a very high degree of similarity” between Royal and BlackSuit.
“In fact, they were nearly identical, with 98% function similarity, 99.5% block similarity, and 98.9% jump similarity based on BinDiff, a binary file comparison tool,” Trend Micro researchers said.
Comparing the Windows artifacts confirmed 93.2% similarity for functions, 99.3% for basic blocks, and 98.4% for jumps based on BinDiff.
black suit revealed for the first time In early May 2023, Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts.
Like other ransomware groups, it runs a double extortion scheme to steal and encrypt sensitive data within compromised networks in exchange for financial compensation. Data related to one victim is listed on a dark web leak site.
The latest findings from Trend Micro show that both BlackSuit and Royal use OpenSSL’s AES for encryption and utilize similar intermittent encryption techniques to speed up the encryption process. .
Duplication aside, BlackSuit incorporates additional command line arguments to avoid different listings of files with specific extensions during enumeration and encryption.
“The emergence of BlackSuit ransomware (similar to Royal) has led to it being either a new variant developed by the same author, a copycat using similar code, or a modification of the original family by the Royal ransomware gang. It indicates that it is an affiliate of ,” said Trend Micro.
Given that Royal is an outgrowth of the former Conti team, the cybersecurity firm theorizes that it is also possible that “BlackSuit emerged from a schism within the original Royal ransomware gang.”
This development once again highlights how the ransomware ecosystem is in constant flux, despite new threat actors emerging to tweak existing tools to generate illicit profits. .
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
This includes a new Ransomware-as-a-Service (RaaS) initiative codenamed NoEscape, which Cyble says its operators and affiliates use a triple extortion technique to drive successful attacks. The impact can be maximized.
Triple extortion is a three-pronged approach that combines data exfiltration and encryption with a distributed denial of service (DDoS) attack against the target to disrupt the target’s business and force a ransom payment. point.
The DDoS service is available for an additional fee of $500,000 per Cyble, and the operating company imposes conditions that prohibit its affiliates from striking organizations located in the Commonwealth of Independent States (CIS) countries.
