blacksuit

184 tracked victims

·first seen 2023-06-12·last activity 2025-05-29

Group profile

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

MITRE ATT&CK TTPs

TA0001

Initial Access

T1021.001Remote Services: Remote Desktop Protocol
BlackSuit actors use RDP compromise as a secondary initial access vector.
T1133External Remote Services
BlackSuit actors gain initial access through a variety of RMM software.
T1190Exploit Public-Facing Application
BlackSuit actors gain initial access through public-facing applications.
T1566Phishing
BlackSuit criminals often obtain initial access to victim networks through phishing.
T1566.001Phishing: Spear phishing Attachment
BlackSuit agents have used malicious PDF document attachments in phishing campaigns.
T1566.002Phishing: Spear phishing Link
Actors gain initial access through malvertising links via emails and public websites.

TA0004

Privilege Escalation

T1078Valid Accounts
BlackSuit actors used a legitimate administrator account to gain access privileges to the domain controller.
T1078.002Valid Accounts: Domain Accounts
BlackSuit actors used encrypted files to create new administrator user accounts.

TA0005

Defense Evasion

T1021.001Remote Services: Remote Desktop Protocol
BlackSuit actors used valid accounts to move laterally through the domain controller using RDP.
T1070.001Indicator Removal: Clear Windows Event Logs
BlackSuit actors deleted shadow files and system and security logs after exfiltration.
T1119Automated Collection
BlackSuit actors used registry keys to extract and collect files automatically.
T1484.001Domain Policy Modification: Group Policy Modification
BlackSuit actors modified Group Policy Objects to bypass antivirus protocols.
T1562.001Impair Defenses: Disable or Modify Tools
BlackSuit actors disabled antivirus protocols.

TA0011

Command and Control

T1105Ingress Tool Transfer
BlackSuit actors used C2 infrastructure to download various tools.
T1572Protocol Tunneling
BlackSuit actors used an encrypted SSH tunnel to communicate within the C2 infrastructure.

TA0040

Impact

T1486Data Encrypted for Impact
BlackSuit actors encrypted data to identify which files were being used or locked by other applications.
T1490Inhibit System Recovery
BlackSuit actors encrypted data to identify which files were being used or locked by other applications.

TA0042

Resource Development

T1650Acquire Access
BlackSuit actors may leverage brokers to gain initial access.

Recent victims

showing 50 of 184

Date	Website / victim	Sector	Country
2025-04-15	Kansas City Aviation Centerwww.kcac.com	Transportation/Logistics	US
2025-03-30	metromont.commetromont.com	Construction	US
2025-05-29	Inns of Aurorawww.innsofaurora.com	Hospitality and Tourism	US
2025-05-15	Gloucester County Virginiawww.gloucesterva.gov	Public Sector	US
2025-04-24	Pacific Metallurgicalwww.pacmet.com	Manufacturing	US
2025-04-24	The Fortune Societyfortunesociety.org	Public Sector	US
2025-02-04	Massachusetts Municipal Wholesale Electricmmwec.org	Energy	US
2025-03-29	dapope.comdapope.com	Not Found	US
2025-03-29	Town of Orangevilleorangeville.ca	Public Sector	CA
2024-08-31	midwest.commidwest.com	Business Services	US
2024-10-23	copresi.escopresi.es	Not Found	ES
2024-10-11	JTEKT NORTH AMERICAjtekt-na.com	Manufacturing	US
2024-10-08	Grandview School Districtgsd200.org	Education	US
2024-11-24	co.cullman.al.usco.cullman.al.us	Public Sector	US
2024-11-18	eastgateauto.comeastgateauto.com	Transportation/Logistics	US
2024-11-18	kciaviation.comkciaviation.com	Transportation/Logistics	US
2024-11-17	hetrhedens.nlhetrhedens.nl	Education	NL
2024-10-02	brandywinecoachworks.combrandywinecoachworks.com	Transportation/Logistics	US
2024-11-15	kapurinc.comkapurinc.com	Business Services	IN
2024-11-15	klarenbeek-transport.nlklarenbeek-transport.nl	Transportation/Logistics	NL
2024-10-09	surgicalassociates.comsurgicalassociates.com	Healthcare	US
2024-10-20	billyheromans.combillyheromans.com	Business Services	US
2024-11-15	kenmore.comkenmore.com	Business Services	US
2024-10-28	marysville.k12.oh.usmarysville.k12.oh.us	Education	US
2024-11-13	stalyhill-inf.tameside.sch.ukstalyhill-inf.tameside.sch.uk	Education	GB
2024-10-07	steppingstonesd.orgsteppingstonesd.org	Education	US
2024-11-12	jst.esjst.es	Technology	ES
2024-11-12	jarrellimc.comjarrellinc.com	Business Services	US
2024-11-11	Supply Technologiessupplytechnologies.com	Transportation/Logistics	US
2024-11-11	Maxxis Internationalmaxxis.com	Manufacturing	VN
2024-11-11	dezinecorp.comdezinecorp.com	Business Services	CA
2024-11-02	SVP Worldwidesvpworldwide.com	Business Services	US
2024-10-29	nathcompanies.comnathcompanies.com	Hospitality and Tourism	US
2024-10-05	wescan-services.com 760 GBwescan-services.com	Business Services	CH
2024-10-05	wescan-services.comwescan-services.com	Business Services	LU
2024-10-25	lolaliza.comlolaliza.com	Business Services	BE
2024-10-25	deschampsimp.comdeschampsimp.com	Manufacturing	CA
2024-10-25	omara-ag.comomara-ag.com	Agriculture and Food Production	DE
2024-10-25	nrcs.netnrcs.net	Technology	CH
2024-10-25	zyloware.comzyloware.com	Business Services	US
2024-10-25	unitedsprinkler.comunitedsprinkler.com	Business Services	US
2024-09-08	Aerotecnicaerotecnic.com	Manufacturing	ES
2024-10-21	Teddy SpAteddy.it	Business Services	IT
2024-10-19	rcschools.netrcschools.net	Education	US
2024-10-19	mopsohio.commopsohio.com	Transportation/Logistics	US
2024-10-19	Kansas City Hospicekchospice.org	Healthcare	US
2024-09-20	Neighbors Credit Unionneighborscu.org	Financial Services	US
2024-03-07	Volta River Authorityvra.com	Energy	GH
2024-09-24	GenPro Inc.genproinc.com	Transportation/Logistics	US
2024-09-09	Branhaven Chrysler Dodge Jeep Rambranhaven.com	Business Services	US