Ransomware Royal is now called Blacksuit and scams 500 million US dollars
Blacksuit attacks companies worldwide and extorts millions. The FBI and CISA show current tactics and how admins can protect PCs.
Ransomware has spread in the network.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The people behind the Royal ransomware have renamed their blackmail Trojan Blacksuit and continue to attack critical infrastructures and companies worldwide. To prevent attacks, admins should study the latest information from US authorities on attack scenarios and defense tactics.
As a rule, cybercriminals rename their ransomware if investigators are too close to them.
Current attack patterns
In a recent report, the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) provide recommendations for preventing attacks and recognizing compromises that have already occurred. To this end, they list Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOC), among other things.
IOCs include the current blackmail message, domains and IP addresses. Admins can look for the latter in logs.
The authorities state that the attackers usually initiate attacks via phishing emails. In these emails, they try to get victims to open prepared PDF files in order to pave the way for their malicious code. Recently, however, there have also been cases in which the attackers use compromised RDP connections.
Business worth millions
Like its predecessor, Blacksuit encrypts files and copies internal business data. As a further means of pressure to pay the ransom, they threaten to publish the data.
The FBI states that the cyber criminals have now extorted over 500 million US dollars. The highest ransom paid to date amounts to 60 million US dollars. The criminals are said to allow negotiations over the ransom and even offer a support chat in return. The criminals do not even stop at hospitals.
(des)
