Skip to content

BlackSuit ransomware ramps up ops hitting 93 organisations

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

A new wave of ransomware attacks targets businesses worldwide, with a rebranded threat known as BlackSuit wreaking havoc across industries. Emerging in 2023 as a successor to the notorious Royal ransomware, the group behind BlackSuit, dubbed Ignoble Scorpius, has escalated its operations in 2024, compromising at least 93 organisations with a significant focus on the construction, manufacturing, and education sectors.

The ransomware employs sophisticated techniques and demanding ransoms averaging 1.6% of victims’ annual revenue.

BlackSuit ransomware debuted in 2023, following a decline in Royal ransomware. As with its predecessor, BlackSuit operates a dark web leak site, leveraging the threat of public data exposure to pressure victims into paying ransoms.

BlackSuit leak site. | Source: Unit42

Despite their claims of ‘small compensations,’ researchers report that the initial ransom demands averaged a substantial amount of the victim’s annual revenue.

Rebranding is a strategic move often employed by ransomware groups to evade law enforcement and mislead cybersecurity defences. Ignoble Scorpius exemplifies this trend, adopting new names while retaining the sophistication and operational expertise that marked its predecessors, Royal and Conti.

“Rebranding not only buys these groups time to operate under reduced scrutiny but also forces defenders to recalibrate their strategies,” researchers noted.

Ignoble Scorpius victimology. | Source: Unit42

The operational playbook of Ignoble Scorpius reflects both innovation and the use of established ransomware techniques. Highlights include:

  • Initial access: The group employs diverse entry methods, including phishing campaigns, stolen VPN credentials, and even supply chain attacks.
  • Credential theft: Tools like Mimikatz and NanoDump are used to compromise privileged accounts, often targeting Windows domain controllers.
  • Lateral movement: Remote Desktop Protocol (RDP) and PsExec are leveraged for network infiltration.
  • Defence evasion: Advanced techniques such as using malicious drivers to disable antivirus and endpoint detection and response (EDR) systems underscore the group’s technical sophistication.
Ignoble Scorpius attack targets. | Source: Unit42

The ransomware payload itself is versatile, with both Windows and Linux variants designed to maximise impact. Notably, the Linux variant targes VMware ESXi servers, emphasising the group’s focus on virtualised environments.

The victim profile of Ignoble Scorpius reveals a predilection for sectors like construction, manufacturing, and education, each of which accounts for a significant share of attacks. This targeted approach suggests strategic planning, likely aimed at sectors less equipped to handle advanced ransomware threats.

Researchers noted that the rise of BlackSuit signals a troubling trend in ransomware operations: the increasing adoption of rebranding as a tool to sustain and expand campaigns. While the group’s public impact is growing, the true number of victims could be much higher, as many organisations opt to pay ransoms quietly to avoid reputational damage.

Cybersecurity experts have advised users and organisations to use threat hunting and incident response services, deploy advanced detection tools, and assess their defences against Ignoble Scorpius using the MITRE ATT&CK framework.

In the News: Apple confirms zero-day attack targeting macOS and iOS

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>