November 6, 2023
TLP:CLEAR
Report: 202311061700
Executive Summary
A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal
ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector.
Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former
notorious Russian-linked Conti operation, potentially places the group with one of the most active
ransomware groups in operation today. Both Royal and the now defunct Conti are known to have
aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the
sector will likely continue to be attacked profoundly. What follows is an overview of the potential new
group, possible connections to other threat actors, an analysis of its ransomware attacks, its target
industries and victim countries, impact to the HPH sector, MITRE ATT&CK techniques, indicators of
compromise, and recommended defense and mitigations against the group.Overview
BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a
compromised network. So far, the specific use of BlackSuit ransomware has been observed in a small
number of attacks. The most recent suspected attack, in October 2023, was against a U.S.-based HPH
organization whose servers and systems were encrypted with malware, tentatively identified as BlackSuit.
One cybersecurity company also documented at least three attacks involving the BlackSuit encryptor, with
ransoms below $1 million. Another company annotated at least five attacks in the manufacturing,
business technology, business retail, and government sectors spanning the United States, Canada, Brazil,
and the United Kingdom. With only a small number of victims, the ransomware gang is considered more
infamous for their purported connections to the more profilic Royal ransomware family. If their connection
is confirmed, it would augment BlackSuit as a threat actor to be closely watched in the near future.Read the full analyst note at HHS (pdf).