Go to listing page

New BlackSuit Ransomware Exhibit Striking Similarities With Royal

New BlackSuit Ransomware Exhibit Striking Similarities With Royal
Researchers have discovered a new ransomware family called BlackSuit, which can target both Windows and Linux users. What's interesting about this ransomware is the striking similarities it shares with the notorious Royal ransomware. This suggests that it may be a new affiliate or reuse of Royal's source code.

More about BlackSuit

Trend Micro researchers have released a detailed report, after analyzing a Windows 32-bit version and an ESXi 64-bit version of BlackSuit.
  • The ransomware appends the file extension .blacksuit to encrypted files and leaves a ransom note that includes information about the attack, a unique ID for the victim, and a TOR chat site link for communication.
  • Additionally, the malware operators use a data leak site to post leaked data in case a victim does not pay the ransom. Although, as of now, this leak site shows just a single victim.

Comparison with Royal ransomware 

While analyzing BlackSuit's Linux sample, researchers discovered that the YARA rule created for this variant matches the samples of the Royal ransomware. Further digging revealed that the two malware have many similarities.
  • BlackSuit supports the use of several command-line arguments, which are similar to those used by Royal. However, BlackSuit includes some additional arguments not present in Royal.
  • Both malware use comparative intermittent encryption techniques, including OpenSSL’s AES encryption algorithm and similar formulas and numbers when comparing file size.

Supporting statistics

  • When comparing the source code used in the 64-bit samples of the two malware, there is a 98% similarity in used functions, 98.9% in BinDiff-based jump statements, and 99.5% in blocks.
  • Similarly, a comparison of the code used in 32-bit samples exhibits 99.3% resemblance in basic blocks, 93.2% in used functions, and 98.4% in jumps based on BinDiff.

The bottom line

Although BlackSuit has not publicly called out its connection with the Royal ransomware, researchers suspect this to be either a new variant developed by the same malware authors or a copycat group using Royal’s code with its own branding. In either case, organizations face BlackSuit as another additional threat standing on the other side of their defense lines, which calls for more vigilance toward the protection of sensitive data.
Cyware Publisher

Publisher

Cyware