Ransomware Group
BlackSuit
Also known as: BlackSuit Ransomware, Royal rebrand
Status: active • First seen 2023-05 • 200+ known victims
BlackSuit is basically Royal ransomware with a new name. Same experienced hackers, same tactics, just rebranded. They still go after hospitals and schools, and they're still dangerous. The FBI and CISA have warned about them specifically because they keep hitting critical infrastructure.
Overview
BlackSuit is believed to be a rebrand of the Royal ransomware operation, sharing significant code overlap. The group targets critical infrastructure with a focus on healthcare and education. They employ sophisticated tactics and are operated by experienced ransomware veterans.
Target Industries
Healthcare, Education, Government, Manufacturing, Critical Infrastructure, Commercial Facilities
How They Attack
- • Callback phishing (initial contact via phone)
- • SEO poisoning with fake software installers
- • Using legitimate remote access tools (AnyDesk)
- • Exploiting public-facing applications
- • GootLoader for initial access
Notable Victims
CDK Global (2024) - impacting 15,000+ car dealerships, Multiple healthcare systems, Various school districts, Several government entities
Is your business exposed?
How to Protect Against BlackSuit
- 1.
Train staff on callback phishing (fake tech support calls)
- 2.
Block or alert on AnyDesk and similar remote tools
- 3.
Verify software downloads only from official sources
- 4.
Apply Royal/BlackSuit specific detection rules
- 5.
Auto dealerships: ensure backups are air-gapped
MITRE ATT&CK Techniques
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required