CISA Alert – Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Joint Advisory

The FBI and CISA recently published an update to the joint Cybersecurity Advisory “#StopRansomware: Royal Ransomware.” The updated advisory provides network defenders with recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackSuit variants (previously Royal). FBI investigations identified these TTPs and IOCs as recently as July 2024. See WaterISAC’s coverage of the last two updates to the Joint Advisory.

As of August 2024, BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors. BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Ransom demands have typically ranged from approximately $1 million to $10 million, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million in total and the largest individual ransom demand was $60 million. 

Actions for organizations to take today to mitigate cyber threats related to BlackSuit ransomware activity

1. Prioritize remediating known exploited vulnerabilities (KEVs).
2. Train users to recognize and report phishing attempts.
3. Enable and enforce multifactor authentication.

CISA encourages network defenders to review the updated CSA and apply the recommended mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. To report suspicious or criminal activity related to information found in the advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. Access the full advisory at CISA.