DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HC3: Analyst Note: BlackSuit Ransomware

Posted on November 6, 2023 by Dissent

November 6, 2023
TLP:CLEAR
Report: 202311061700

Executive Summary

A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal
ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector.
Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former
notorious Russian-linked Conti operation, potentially places the group with one of the most active
ransomware groups in operation today. Both Royal and the now defunct Conti are known to have
aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the
sector will likely continue to be attacked profoundly. What follows is an overview of the potential new
group, possible connections to other threat actors, an analysis of its ransomware attacks, its target
industries and victim countries, impact to the HPH sector, MITRE ATT&CK techniques, indicators of
compromise, and recommended defense and mitigations against the group.

Overview

BlackSuit operates using a double extortion method that steals and encrypts sensitive data on a
compromised network. So far, the specific use of BlackSuit ransomware has been observed in a small
number of attacks. The most recent suspected attack, in October 2023, was against a U.S.-based HPH
organization whose servers and systems were encrypted with malware, tentatively identified as BlackSuit.
One cybersecurity company also documented at least three attacks involving the BlackSuit encryptor, with
ransoms below $1 million. Another company annotated at least five attacks in the manufacturing,
business technology, business retail, and government sectors spanning the United States, Canada, Brazil,
and the United Kingdom. With only a small number of victims, the ransomware gang is considered more
infamous for their purported connections to the more profilic Royal ransomware family. If their connection
is confirmed, it would augment BlackSuit as a threat actor to be closely watched in the near future.

Read the full analyst note at HHS (pdf).

Related posts:

  • Japanese publisher paid BlackSuit $3 million, but BlackSuit leaked their data anyway – reports
  • Broward County Public Schools Cyberattack was Ransomware Attack — New Details Emerge
  • “Without Undue Delay,” Part 2
  • Threat actors sometimes name the wrong victims — so why are you just repeating their claims?
Category: Commentaries and AnalysesMalware

Post navigation

← Mulkay Cardiology Consultants notifies almost 80,000 of ransomware attack
Info from 5.6 million patient visits among data stolen in ransomware attack on Ontario hospital →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.