BlackSuit

Also known as: Royal, Zeon, Ignoble Scorpius

Affiliation Suspected former Conti ransomware members

Status active

Country Unknown

First Seen 2022

Last Seen 2024

Target Sectors Commercial Facilities, Healthcare, Government, Critical Manufacturing, Communications, Financial Services, Emergency Services

Target Geographies United States, Global

Executive Summary

BlackSuit is a financially motivated ransomware and extortion group assessed to be composed of former members of the Conti ransomware operation. The group operated under the name Royal from approximately September 2022, and under Zeon before that, before rebranding to BlackSuit in mid-2023. CISA and the FBI updated their advisory in August 2024 to consolidate the Royal and BlackSuit identities under a unified threat profile, reflecting confirmed code and operational continuity between the two variants. BlackSuit employs a double-extortion model — encrypting victim systems while simultaneously exfiltrating data and threatening to publish it on a dedicated leak site — and has targeted organizations across multiple critical infrastructure sectors in the United States and internationally.

Notable Campaigns

BlackSuit and its Royal predecessor have targeted organizations across critical infrastructure sectors globally. CISA’s advisory documents victims in commercial facilities, healthcare, government, critical manufacturing, communications, financial services, and emergency services sectors. Unit 42, which tracks the BlackSuit cluster under the designation Ignoble Scorpius, documented an increase in BlackSuit activity beginning in March 2024, indicating an operational ramp-up. The group’s double-extortion leak site has listed victims from North America, Europe, and other regions. Royal-phase activity from September 2022 through mid-2023 included targets across the same sector range, consistent with the group’s opportunistic targeting posture rather than a specific sector focus.

Technical Capabilities

BlackSuit actors enter victim environments primarily via phishing emails containing malicious PDF attachments, with malvertising campaigns serving as a secondary initial-access vector. After achieving access, the group disables antivirus and endpoint security tooling before proceeding to credential collection using Mimikatz and Nirsoft password utilities.

Network reconnaissance uses SharpShares and SoftPerfect NetWorx to enumerate shares and map internal topology. Lateral movement proceeds via SSH connections established through OpenSSH and MobaXterm. For command and control, BlackSuit actors deploy Chisel — a tunneling tool wrapping traffic over HTTP secured with SSH — alongside Cloudflared, which routes traffic through Cloudflare’s infrastructure to obscure origin addresses.

Data exfiltration precedes encryption, using Cobalt Strike and Ursnif/Gozi derivatives to stage and transfer victim data to actor-controlled infrastructure. The final ransomware payload uses a partial-encryption approach in which operators configure what percentage of each file is encrypted. Lower percentages reduce encryption time on large files while still rendering them inaccessible, and lower encryption ratios evade behavioral detection thresholds. Encrypted files receive the .blacksuit extension. On VMware ESXi targets, the esxcli command-line utility terminates virtual machine processes before encryption, releasing file locks to enable coverage.

Attribution

BlackSuit is assessed with moderate confidence to be operated by former Conti ransomware members, consistent with what CISA and independent researchers have characterized as former “Team One” operators who continued independent activity following Conti’s dissolution in mid-2022. Code-level analysis by Trend Micro in May 2023 identified code-level overlap between Royal and BlackSuit ransomware payloads, including shared partial-encryption logic, command-line argument handling, and file enumeration routines. CISA’s consolidated August 2024 advisory treats Royal and BlackSuit as a continuous lineage. No public court filing or formal government designation links the group to specific individuals or organizations. Suspected Russia nexus is based on Conti’s prior attribution and operational patterns; state direction or sponsorship is not supported by available public evidence.

MITRE ATT&CK Profile

T1566.001 - Spearphishing Attachment: BlackSuit actors commonly gain initial access via phishing emails containing malicious PDF attachments.

T1566.002 - Spearphishing Link: Malvertising campaigns delivering malware via spearphishing links have been observed as a secondary initial-access vector.

T1685 - Disable or Modify Tools: After gaining initial access, BlackSuit actors disable antivirus and endpoint security tooling before deploying ransomware, reducing detection likelihood during credential harvesting and encryption phases.

T1003 - OS Credential Dumping: Mimikatz and Nirsoft password harvesting utilities have been found on victim systems, used to collect credentials for lateral movement and privilege escalation.

T1572 - Protocol Tunneling: Chisel, a tunneling tool wrapping traffic over HTTP secured by SSH, and Cloudflared are used to establish covert command-and-control channels and maintain persistent network access.

T1135 - Network Share Discovery: SharpShares and SoftPerfect NetWorx enumerate victim network shares and topology, informing lateral movement paths and target selection for the encryption stage.

T1021.004 - SSH: BlackSuit actors establish SSH sessions using OpenSSH and MobaXterm to move laterally within victim environments following initial compromise and credential acquisition.

T1567 - Exfiltration Over Web Service: Cobalt Strike and Ursnif/Gozi derivatives are used to exfiltrate victim data to actor-controlled infrastructure before ransomware deployment, supporting the double-extortion model.

T1486 - Data Encrypted for Impact: BlackSuit deploys its partial-encryption ransomware payload.

T1489 - Service Stop: BlackSuit uses esxcli to terminate virtual machine processes on ESXi hypervisors before encryption.