Introduction
This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware’s suspected pedigree.[HC3 Analyst Note BlackSuit Ransomware November 2023] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[GitHub ransomwatch] ATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate “BlackSuit Ransomware” Software object.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- BlackEnergy:
- BLACKCOFFEE:
- Blackshades:
- BlackNix:
- Windows Remote Desktop:
- BlackHole:
Attribution and Evidence
Information pending cataloguing.
References
[1] [HC3 Analyst Note BlackSuit Ransomware November 2023 [2] [GitHub ransomwatch