• Home
  • News
  • BlackSuit Ransomware Targets Two US-Based Service Providers

BlackSuit Ransomware Targets Two US-Based Service Providers

Miklos Zoltan

By Miklos Zoltan . 8 February 2024

Founder - Privacy Affairs

Alex Popa

Fact-Checked this

The novel BlackSuit ransomware targeted 2 US-based corporations recently, managing to steal considerable amount of confidential data. The victims refrained from public comments, so it’s unclear how the negotiations went.

  • BlackSuit is pretty unknown in the cyberspace sphere due to its low activity and recent formation
  • The 2 victims are Southwest Binding & Laminating and Western Municipal Construction
  • The first offers document binding and laminating equipment to entities from both the public and the private sphere
  • Western Municipal Construction provides construction services to residential and commercial customers

Unlike many ransomware actors, BlackSuit doesn’t shy away from targeting both public institutions and private corporations, so long as the potential gains are worth it. This has led the infamous actor to even target schools, colleges, and even a zoo in Tampa Bay.

It’s important to note that BlackSuit doesn’t demand unrealistic ransoms, as they typically adjust them to their victims’ financial capabilities. Even so, experts advise against paying the ransom, if and whenever possible.

That’s because if nobody would’ve paid ransoms, extortion rings would not even exist. The problem is that, in some cases, paying the ransom is actually better than not paying it. It’s a known fact that data leaks can sometimes hurt the victim more than the ransom.

X showing the BlackSuit attack on the 2 victims

It’s unclear how damaging these recent attacks have been, but BlackSuit claimed several hundreds of GB of data being stolen. BlackSuit uses the double-extortion method, which relies on data encryption and downloading.

Why Haven’t You Heard of BlackSuit?

The main reason is that BlackSuit only hit the public sphere recently, in May of 2023. This is an outstandingly short period for such a prolific ransomware actor, so what’s going on? The answer is simple: BlackSuit is not a newcomer.

According to prominent investigation agencies, BlackSuit appears to be a rebranding of Royal, who’s a rebranding of Conti. Conti ranked as the most powerful and feared ransomware actors in the world, except it’s now defunct.

But, as history has shown time and time again, ransomware groups, and cybercriminal organizations in general, don’t just go away. They either rebrand themselves under different names and https, or disband and form entirely different organizations.

This appears to be the case with BlackSuit, as the US Department of Health and Human Services (HHS) highlighted important similarities between BlackSuit and Royal. The same agency warned that BlackSuit has the potential to become a global threat.

An important aspect here, BlackSuit isn’t an RaaS (Ransomware-as-a-Service) organization yet. The group likes to keep its cards close to its chests and doesn’t work with affiliates. This is most likely due to them wanting to keep their code secret.

Along with all the profits they generate along the way, of course.

This doesn’t mean that BlackSuit is a lone wolf, as there is evidence showing connections between this group and other ransomware actors. This shows that the group does collaborate with other cybercriminal entities during more extensive operations.

And BlackSuit doesn’t seem to slow down.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Leave a Comment