urlscan.io logo urlscan.io
SecurityTrails logo

www.tripwire.com Open in urlscan Pro
2606:4700::6812:a3  Public Scan

Back to summary
URL: https://www.tripwire.com/state-of-security/blacksuit-ransomware-what-you-need-know
Submission: On July 15 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET /search

<form action="/search" method="get" id="views-exposed-form-site-search-page-1" accept-charset="UTF-8" data-once="bef-auto-submit">
  <div class="form-row">
    <fieldset class="js-form-item js-form-type-textfield form-type-textfield js-form-item-keys form-item-keys form-no-label form-group">
      <label for="edit-keys" class="sr-only">Keywords</label>
      <input placeholder="Search for keywords" data-drupal-selector="edit-keys" type="text" id="edit-keys" name="keys" value="" size="30" maxlength="128" class="form-control">
    </fieldset>
    <fieldset class="js-form-item js-form-type-select form-type-select js-form-item-sort-bef-combine form-item-sort-bef-combine form-no-label form-group">
      <label for="edit-sort-bef-combine" class="sr-only">Sort</label>
      <select class="form-control form-select" data-drupal-selector="edit-sort-bef-combine" id="edit-sort-bef-combine" name="sort_bef_combine">
        <option value="search_api_relevance_1_DESC">Best match</option>
        <option value="published_at_DESC">Newest first</option>
        <option value="published_at_ASC">Oldest first</option>
        <option value="title_ASC">Title A-Z</option>
        <option value="title_DESC">Title Z-A</option>
      </select>
    </fieldset>
    <div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-group" id="edit-actions"><input data-bef-auto-submit-click="" class="search-button button js-form-submit form-submit btn btn-primary form-control"
        data-drupal-selector="edit-submit-site-search" type="submit" id="edit-submit-site-search" value="">
    </div>
  </div>
</form>

Text Content

Skip to main content
English
English
English
English
Secondary Navigation
 * Customer Portal
 * Partner Portal
 * GET A DEMO

 * Products Toggle Dropdown
    * Tripwire Enterprise
    * Tripwire ExpertOps
    * Tripwire IP360
    * Tripwire LogCenter
    * View all products

 * Solutions Toggle Dropdown
    * Security Configuration Management
    * File Integrity and Change Monitoring
    * Vulnerability Management
    * Cloud
    * Compliance
    * Industries
    * View all solutions

 * Services
 * Resources Toggle Dropdown
    * Upcoming Events
    * On-Demand Webinars
    * Datasheets
    * Case Studies
    * Guides
    * Training
    * View all resources

 * Blog
 * About Toggle Dropdown
    * About
    * Careers
    * Leadership
    * Newsroom
    * Partners
    * Contact Us

Keywords Sort Best matchNewest firstOldest firstTitle A-ZTitle Z-A


 1. Home
 2. Blog
 3. BlackSuit ransomware - what you need to know

BLACKSUIT RANSOMWARE - WHAT YOU NEED TO KNOW


Posted on December 7, 2023


Image


What's going on?

A cybercriminal group calling itself BlackSuit has claimed responsibility for a
series of ransomware attacks, including breaches at schools in central Georgia.

And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking
gang.

Meanwhile, liberal arts college DePauw University in Indiana says that it was
recently targeted, and a "limited amount of data on specific individuals was
accessed." 214GB of stolen data has since been made available for download on
BlackSuit's extortion site on the dark web.

Image


How come I haven't heard of BlackSuit before?

Chances are that if you're interested in cybersecurity, you're not a complete
stranger to BlackSuit. Although BlackSuit first appeared in May 2023, it appears
to have strong links to the Royal ransomware gang, which itself was born out of
the remains of the notorious Conti group.

Are you suggesting that BlackSuit is a rebranding of the Royal and Conti
ransomware groups?

It's not just me. Last month the US Department of Health and Human Services
(HHS) issued an advisory to the healthcare and public health sector about
BlackSuit that described its "striking parallels" to Royal, and said it was the
"direct successor to the notorious Russian-linked Conti operation."

The HHS warned that BlackSuit was "a threat actor to be closely watched in the
near future".

So is BlackSuit another ransomware-as-a-service (RaaS) operation?

Not presently. Right now, it cannot be considered ransomware-as-a-service as
there aren't any known affiliates of BlackSuit. Of course, that might change in
the future - but it's possible that the malicious hackers behind BlackSuit are
happy keeping their weapon (and the profits it generates) to themselves.

How will I know that my organisation has been hit by BlackSuit?

BlackSuit encrypts files on your Linux and Windows systems and appends a
".blacksuit" extension to affected files. It also changes your desktop
wallpaper, and drops a ransom note (named "README.BlackSuit.txt".

Image


Should I pay the ransom?

That's the six million dollar question. Or should that be the 139 Bitcoins
question? :)

It's true to say that paying ransoms encourages ransomware attackers. If no
organisations ever paid up, there would not be ransomware attacks. So, paying
the malicious people attempting to extort your company is deeply unattractive.

However, not paying is not an easy decision for any victim to make. Even if they
have a secure, unencrypted backup of their important data to rebuild their
systems from, they will still have to handle the possible fall-out when
sensitive information about their business, their employees, their suppliers,
and their customers is released into the public domain by the criminals.

The repercussions of a data leak are not just potentially legal, but a company's
public image and brand reputation may be seriously tarnished by hackers that
publish exfiltrated data.

Ultimately, there is no good decision - only a choice between two unpleasant
options.

So, what action should I take right now?

The best thing to do is to ensure that you have hardened defences in place
before a ransomware attack, to reduce the chances of it succeeding and limiting
any potential impact on your business.

The FBI and CISA have published mitigation guidance and a range of IOCs for both
the Royal and BlackSuit ransomware families.

In addition, it would be wise to follow our recommendations on how to protect
your organisation from other ransomware.

Those include:

 * making secure offsite backups.
 * running up-to-date security solutions and ensuring that your computers are
   protected with the latest security patches against vulnerabilities.
 * Restrict an attacker's ability to spread laterally through your organisation
   via network segmentation.
 * using hard-to-crack unique passwords to protect sensitive data and accounts,
   as well as enabling multi-factor authentication.
 * encrypting sensitive data wherever possible.
 * reducing the attack surface by disabling functionality that your company does
   not need.
 * educating and informing staff about the risks and methods used by
   cybercriminals to launch attacks and steal data.

Stay safe, and don't allow your organisation to be the next victim to fall foul
of the BlackSuit ransomware group.

--------------------------------------------------------------------------------

Editor’s Note: The opinions expressed in this guest author article are solely
those of the contributor, and do not necessarily reflect those of Tripwire.

MASTERING SECURITY CONFIGURATION MANAGEMENT

Master Security Configuration Management with Tripwire's guide on best
practices. This resource explores SCM's role in modern cybersecurity, reducing
the attack surface, and achieving compliance with regulations. Gain practical
insights for using SCM effectively in various environments.   

Get the Guide

GRAHAM CLULEY

Cybercrime Researcher and Blogger

View Profile
Related Solutions
Cybersecurity
Related Content
Blog
Ransomware Risk Management: A Cybersecurity Framework Profile
Blog
5 Common Business Mistakes in Ransomware Prevention Planning
Blog
Guarding Against Fileless Malware: Types and Prevention
Image

 * +1 800-328-1000
 * Email Us
 * Request Support

   
 * X Find us on X
 * LinkedIn Find us on LinkedIn
 * Youtube Find us on Youtube

Footer menu


PRODUCTS & SERVICES

 * Tripwire Enterprise
 * Tripwire IP360
 * Tripwire LogCenter
 * Tripwire ExpertOps
 * Services
 * View All Products
 * Fortra Products


SOLUTIONS

 * By Security Need
 * By Compliance Need
 * By Industry


RESOURCES

 * Upcoming Events
 * On-Demand Webinars
 * Datasheets
 * Training
 * Request a Quote
 * Start a Demo


ABOUT

 * Fortra
 * Patents
 * Customer Support
 * Report a Vulnerability


CONTACT INFORMATION


PRIVACY POLICY


COOKIE POLICY

COOKIE-PRÄFERENZEN


IMPRESSUM

Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos,
and other identified marks are proprietary trademarks of Fortra, LLC.