A prolific ransomware group has demanded more than $500m from its victims in less than two years, according to new data from the US Cybersecurity and Infrastructure Security Agency (CISA).
An update to a previous CISA report, compiled with the FBI and released on August 7, detailed the activity of the BlackSuit group, which rebranded from “Royal” in July 2023 and has been in operation since September 2022.
Its largest individual demand since that time was $60m, although the report adds that the group displays a “willingness to negotiate payment amounts,” so initial high asking prices are likely to be merely a negotiating tactic.
“Ransom demands have typically ranged from approximately $1m to $10m, with payment demanded in Bitcoin,” it added.
Read more on BlackSuit/Royal: Royal Ransomware Targets US Healthcare.
Ransom amounts are not displayed on the initial note. Instead, victims usually need to interact directly with the threat actor via a .onion URL provided after encryption, although more recently they’ve also received email and telephone communications, CISA said.
The group was most notably responsible for an attack on the City of Dallas last year which resulted in the compromise of several servers and widespread disruption to public services, including 911 dispatch systems.
Just last month, Indiana’s Monroe County suffered a week-long shutdown of government offices after an attack from the group. It’s unclear if a similar attack on next-door Clay County shortly after – which resulted in the declaration of a state of emergency – may also have come from BlackSuit.
BlackSuit uses classic double extortion tactics, displaying the names of victims and subsequently their data on a leak site if a ransom is not paid.
“Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors,” CISA’s report claimed. “After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.”
A CISA report from November 2023 claimed that Royal had targeted 350 global victims since September 2022, demanding $275m in ransom payments.