This updated Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other
ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known BlackSuit ransomware IOCs and TTPs identified through FBI threat response activities and third-party reporting as recently as of July. BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities.

The advisory was updated to notify network defenders of the rebrand of Royal ransomware actors to BlackSuit. The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware.

BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable anti-virus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. FBI and CISA encourage organizations to implement the recommendations found in the mitigations section of the advisory to reduce the likelihood and impact of ransomware incidents.