Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
BlackSuit Malware
What is BlackSuit Malware?
BlackSuit is a sophisticated ransomware operation that encrypts victim files and demands payment for decryption, while simultaneously exfiltrating data and threatening to publish it on a dark web leak site if the ransom is not paid — a technique known as double extortion. It targets businesses and critical infrastructure across multiple sectors and employs advanced evasion techniques to bypass traditional defenses.
When was BlackSuit First Discovered?
BlackSuit was first observed in May 2023, when researchers identified a new ransomware encryptor and data leak site distinct from Royal. The emergence of BlackSuit coincided with Royal ransomware activity winding down — the two operations did not overlap. In August 2024, the FBI and CISA formally confirmed in an updated joint advisory (AA23-061A) that BlackSuit is a direct rebrand of the Royal ransomware operation, with significant code-level similarities between the two.
Who Created BlackSuit?
The identities and number of individuals behind BlackSuit remain unknown, though it is suspected to be the work of a financially motivated cybercriminal group.
What Does BlackSuit Target?
BlackSuit primarily targets Windows-based systems in industries such as healthcare, finance, and manufacturing. It has been observed in attacks across North America and Europe.
Notable confirmed victims include:
- CDK Global (June 2024): Major disruption to automotive dealer software, impacting over 15,000 North American car dealerships
- City of Dallas, TX (May 2023, as Royal): Compromised police communications, over 1 TB of data stolen
- KADOKAWA / Niconico (June 2024): Theft of confidential business and employee data from the Japanese media conglomerate
- Henry County School System, Georgia: Entire district taken offline; data of over 40,000 students compromised
BlackSuit Distribution Method
BlackSuit spreads through phishing emails, malicious attachments, and exploit kits. It also leverages compromised Remote Desktop Protocol (RDP) connections to infiltrate networks.
Technical Analysis of BlackSuit Malware
BlackSuit encrypts files using robust algorithms, leaving victims with ransom notes demanding payment in cryptocurrency. It employs persistence mechanisms to remain active and uses obfuscation techniques to evade detection
Tactics, Techniques & Procedures (TTPs)
Per the FBI and CISA joint advisory AA23-061A and MITRE ATT&CK:
- T1566 – Phishing (initial access via malicious emails)
- T1078 – Valid Accounts (use of compromised credentials for initial access and lateral movement)
- T1133 – External Remote Services (exploitation of RDP and VPN)
- T1190 – Exploit Public-Facing Application (VMware ESXi and other internet-facing vulnerabilities)
- T1486 – Data Encrypted for Impact (partial encryption with RSA-4096/AES-256)
- T1048 – Exfiltration Over Alternative Protocol (data staged with 7-Zip and exfiltrated via RClone)
- T1490 – Inhibit System Recovery (deletion of shadow copies and backups before encryption)
- T1562.001 – Impair Defenses: Disable or Modify Tools (active disabling of AV/EDR prior to deployment)
- T1021 – Remote Services (lateral movement using legitimate remote access tools)
- T1560.001 – Archive Collected Data: Archive via Utility (7-Zip used to compress exfiltrated files)
Indicators of Compromise (IoCs)
FBI and CISA have published detailed IoCs in joint advisory AA23-061A (updated August 7, 2024), available at cisa.gov/news-events/cybersecurity-advisories/aa23-061a. Organizations should consult the official advisory for the full, vetted list of IP addresses, file hashes, and behavioral indicators, as these are updated as new FBI threat response data becomes available.
Behavioral/artifact indicators:
- Ransom note filename: README.BlackSuit.txt
- Encrypted file extension: .blacksuit
- Use of 7z.exe with -tzip and -mx=9 flags for data staging prior to exfiltration
- Presence of RClone, Cobalt Strike, or Brute Ratel on endpoints
- NirSoft credential harvesting utilities on victim systems
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to Know if You’re Infected with BlackSuit?
Signs of infection include files with the .blacksuit extension, the presence of README.BlackSuit.txt ransom notes in affected directories, disabled antivirus or EDR software, and abnormal network activity consistent with lateral movement or large-volume data staging.
BlackSuit Removal Instructions
To remove BlackSuit, disconnect the infected system from the network, use EDR tools, and consult Huntress remediation services for expert assistance.
Is BlackSuit Still Active?
BlackSuit's infrastructure was disrupted in August 2025 via Operation Checkmate, with servers, domains, and cryptocurrency seized by international law enforcement. However, the operators are assessed to have regrouped under a new operation called Chaos. Given the group's history of rebranding (Conti → Royal → BlackSuit → Chaos), organizations should monitor threat intelligence feeds for successor activity from the same operators rather than treating the BlackSuit name as the end of the threat.
Mitigation & Prevention Strategies
Prevent BlackSuit infections by implementing multi-factor authentication (MFA), enforcing strong RDP security controls (or disabling RDP where not required), patching internet-facing systems, and educating users on phishing and social engineering risks.
BlackSuit Malware FAQs
BlackSuit is a double-extortion ransomware operation that encrypts files using RSA-4096 and AES-256 and demands cryptocurrency payment for decryption. Before encrypting, the group exfiltrates sensitive data and threatens to publish it on a dark web leak site if the ransom is not paid.
BlackSuit infiltrates systems via phishing campaigns, exploit kits, and weak RDP credentials. Once inside, the group conducts extended reconnaissance, harvests credentials, exfiltrates data, and then deploys the ransomware encryptor.
BlackSuit's infrastructure was seized in August 2025 via Operation Checkmate, but the operators are believed to have continued activity under the name Chaos. Given the group's demonstrated pattern of rebranding after disruption, from Conti to Royal to BlackSuit, organizations should remain vigilant against successor operations from the same threat actors.
Organizations can protect against BlackSuit by implementing MFA, hardening or disabling RDP where not needed, maintaining offline backups, patching vulnerabilities, educating employees on phishing risks, and using Huntress 24/7 monitoring for early detection.
