Ignoble Scorpius Strikes Again: The Rise of BlackSuit Ransomware
The cybercrime group known as Ignoble Scorpius has resurfaced with the BlackSuit ransomware, as detailed in a recent report from Unit 42 researchers. Emerging in May 2023 as a rebrand of the Royal ransomware, BlackSuit marks a continuation of sophisticated ransomware campaigns targeting a broad spectrum of industries.
The report observes that Ignoble Scorpius has ramped up its operations significantly since March 2024, with at least 93 global victims to date. A striking 25% of these victims belong to the construction and manufacturing sectors, industries that are often critical to national economies. “The median revenue of these victims was $19.5 million,” the report states.
The group operates a dark web leak site to pressure victims into paying ransoms, which Unit 42 notes typically start at approximately 1.6% of the victim’s annual revenue. For organizations of the median size observed, this translates to hefty payouts, far from the “quite small compensation” the group claims.
Ignoble Scorpius’ activities have predominantly targeted U.S.-based organizations. The combination of economic disruption, data exfiltration, and operational paralysis makes this group a potent threat. Notably, their ability to execute complex supply chain attacks and bypass defenses signals an escalation in the sophistication of ransomware campaigns.
The Unit 42 report highlights Ignoble Scorpius’ advanced tactics, techniques, and procedures (TTPs), which include:
- Initial Access: Leveraging methods such as phishing campaigns (T1566.001), SEO poisoning with GootLoader (T1608.006), and supply chain attacks (T1195.002).
- Privilege Escalation: Using credential theft tools like Mimikatz and NanoDump, and conducting domain-wide attacks by dumping the NTDS.dit file
- Lateral Movement: Exploiting RDP (T1021.001) and SMB (T1021.002) for propagation, alongside tools like PsExec (T1570)
The ransomware’s payload features variants for both Windows and Linux systems, with specific functionalities targeting VMware ESXi servers. The Windows variant employs a unique victim ID to facilitate ransom negotiations on the dark web, while the Linux variant introduces flags to shut down virtual machines and encrypt critical files.
Unit 42 emphasizes that BlackSuit is a direct successor to Royal ransomware and, by extension, shares lineage with the infamous Conti group. “The true effectiveness of rebranding is difficult to quantify,” the report notes, “but it can offer ransomware groups a respite from the scrutiny of researchers, law enforcement, and the media.” This strategic pivot may also serve to disorient defenders by shifting TTPs and resetting perceptions of the group’s threat level.
