New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal

June 3, 2023Ravi LakshmananEndpoint Security/Linux

An analysis of a Linux variant of a new ransomware strain called BlackSuit reveals important similarities to another ransomware family called Royal.

Trend Micro, which investigated x64 VMware ESXi versions targeted for Linux machines, said it found “a very high degree of similarity” between Royal and BlackSuit.

“In fact, they are nearly identical, with 98% similarity in functions, 99.5% similarity in blocks, and 98.9% similarity in jumps, based on BinDiff, a binary file comparison tool.” I got it.

Comparing the Windows artifacts confirmed 93.2% similarity for functions, 99.3% for basic blocks, and 98.4% for jumps based on BinDiff.

black suit revealed for the first time In early May 2023, Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts.

Like other ransomware groups, it runs a double extortion scheme to steal and encrypt sensitive data within compromised networks in exchange for financial compensation. Data related to one victim is listed on a dark web leak site.

Recent research from Trend Micro shows that both BlackSuit and Royal use OpenSSL’s AES for encryption, leveraging similar capabilities. intermittent encryption A technology that speeds up the encryption process.

Duplication aside, BlackSuit incorporates additional command line arguments to avoid different listings of files with specific extensions during enumeration and encryption.

“The emergence of BlackSuit ransomware (similar to Royal) has led to it being either a new variant developed by the same author, a copycat using similar code, or a modification of the original family by the Royal ransomware gang. It indicates that it is an affiliate of ,” said Trend Micro.

given that royal was an outgrowth of the former Conti team, but it is also possible that “BlackSuit emerged from a schism within the original Royal ransomware gang,” the cybersecurity firm theorized.

This development once again underscores the ever-fluctuating state of the world. Ransomware ecosystemEven if new threat actors emerge to tweak existing tools to generate illicit profits.

This includes a new Ransomware as a Service (RaaS) initiative codenamed. there is no escape Cyble says it allows its operators and affiliates to utilize a triple extortion technique to maximize the impact of a successful attack.

What is triple blackmail A three-pronged approach Data exfiltration and encryption are combined with a distributed denial of service (DDoS) attack against the target with the aim of sabotaging the target’s business and forcing them to pay a ransom.

The DDoS service is available for an additional fee of $500,000 per Cyble, and the operator imposes conditions that prohibit its affiliates from attacking organizations located in the Commonwealth of Independent States (CIS) countries.