June 3, 2023Ravi LakshmananEndpoint Security/Linux

An analysis of a Linux variant of a new ransomware strain called BlackSuit reveals important similarities to another ransomware family called Royal.

Trend Micro, which investigated x64 VMware ESXi versions targeted for Linux machines, said it found “a very high degree of similarity” between Royal and BlackSuit.

“In fact, they are nearly identical, with 98% similarity in functions, 99.5% similarity in blocks, and 98.9% similarity in jumps, based on BinDiff, a binary file comparison tool.” I got it.

Comparing the Windows artifacts confirmed 93.2% similarity for functions, 99.3% for basic blocks, and 98.4% for jumps based on BinDiff.

black suit revealed for the first time In early May 2023, Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts.

cyber security

Like other ransomware groups, it runs a double extortion scheme to steal and encrypt sensitive data within compromised networks in exchange for financial compensation. Data related to one victim is listed on a dark web leak site.

Recent research from Trend Micro shows that both BlackSuit and Royal use OpenSSL’s AES for encryption, leveraging similar capabilities. intermittent encryption A technology that speeds up the encryption process.

Duplication aside, BlackSuit incorporates additional command line arguments to avoid different listings of files with specific extensions during enumeration and encryption.

“The emergence of BlackSuit ransomware (similar to Royal) has led to it being either a new variant developed by the same author, a copycat using similar code, or a modification of the original family by the Royal ransomware gang. It indicates that it is an affiliate of ,” said Trend Micro.

given that royal was an outgrowth of the former Conti team, but it is also possible that “BlackSuit emerged from a schism within the original Royal ransomware gang,” the cybersecurity firm theorized.

This development once again underscores the ever-fluctuating state of the world. Ransomware ecosystemEven if new threat actors emerge to tweak existing tools to generate illicit profits.

upcoming webinars

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!

join the session

This includes a new Ransomware as a Service (RaaS) initiative codenamed. there is no escape Cyble says it allows its operators and affiliates to utilize a triple extortion technique to maximize the impact of a successful attack.

What is triple blackmail A three-pronged approach Data exfiltration and encryption are combined with a distributed denial of service (DDoS) attack against the target with the aim of sabotaging the target’s business and forcing them to pay a ransom.

The DDoS service is available for an additional fee of $500,000 per Cyble, and the operator imposes conditions that prohibit its affiliates from attacking organizations located in the Commonwealth of Independent States (CIS) countries.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog