BlackSuit

blacksuit · primary source: Other · first observed 2022

?? · UnknownRansomwareModerate confidencelast cited Aug 6, 2024 · 1.8y ago

Russian-speaking ransomware-as-a-service operation operating under the Royal brand from September 2022 to June 2023, then rebranding as BlackSuit. Confirmed as a direct continuation by FBI/CISA in joint advisory AA23-061A (updated August 2024) based on code, infrastructure, and TTP continuity. The lineage traces back further to the short-lived Quantum brand, itself a Conti-family spinoff. Heavy targeting of healthcare, education, and manufacturing; ransom demands up to $60M.

Aliases

RoyalOtherQuantum (precursor)Other

Motivations

financial gain

Target sectors

healthcareeducationmanufacturingcommunicationsgovernment

Target countries

USGBCADEBR

Lineage & relationships

full graph →

Lineage of

Conti

Royal/BlackSuit derived from Quantum, itself ex-Conti

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

BlackSuit
Unknown
financial gain

Capability

Infrastructure

altocloudzone.live

Victim

healthcare
education
manufacturing
US
GB
+1 more

MITRE ATT&CK techniques

T1486 T1490 T1566.001 T1219

Timeline

1 event

AdvisoryHigh2024-08-07·CISA
CISA/FBI update AA23-061A confirming Royal → BlackSuit rebrand
FBI and CISA updated joint advisory AA23-061A to notify defenders that Royal ransomware actors had rebranded as BlackSuit. The update added IOCs and TTPs from FBI investigations as recent as July 2024. The advisory tracks the lineage Royal (Sept 2022-June 2023) → BlackSuit (June 2023+) with ransom demands ranging $1M-$60M and $500M+ in cumulative demands.
rebrandransomwareadvisory-update

Indicators of compromise

4 indicators

defangedcsv

Type	Value	First seen	Source
Name	readme.BlackSuit.txt family · BlackSuit BlackSuit ransom note filename documented in YARA rules and IOC tables of the August 7, 2024 update to AA23-061A. Royal-era victims received README.TXT with the .royal extension; BlackSuit demands have totaled $500M+ with individual asks up to $60M.	Aug 6, 2024	CISA
SHA-256	af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61 family · BlackSuit SHA256 of 1.exe, the BlackSuit encryptor identified by FBI in threat-response activity through July 2024 and published in Table 10 of the August 7, 2024 update to joint FBI/CISA advisory AA23-061A - the rebrand of Royal ransomware (active September 2022 through June 2023).	Aug 6, 2024	CISA
SHA-256	8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451 family · BlackSuit SHA256 of the Chisel TCP/UDP-over-HTTP tunneling tool used by Royal/BlackSuit operators for C2 egress, listed in Table 4 of AA23-061A as of January 2023.	Mar 1, 2023	CISA
Domain	altocloudzone[.]live family · BlackSuit Royal/BlackSuit malicious domain last observed December 2022 and published in Table 3 of AA23-061A.	Nov 30, 2022	CISA

Related actors

shared ATT&CK techniques

?? · UnknownBlack Basta3 shared techniques
RU · RussiaConti3 shared techniques
RU · Russia8Base2 shared techniques
- T1486
- T1490
?? · UnknownAkira2 shared techniques
- T1486
- T1490
?? · UnknownALPHV/BlackCat2 shared techniques
- T1486
- T1490
RU · RussiaDarkSide2 shared techniques
- T1486
- T1490

References

#StopRansomware: BlackSuit (Royal) Ransomware (AA23-061A)
CISA · 2024-08-07

cite this page

Threat Intel Tracker. (2026-05-19). BlackSuit — actor profile. Retrieved from https://threatintel.local/actors/blacksuit

latest cited activity · 2024-08-07 · 4 cataloged indicators