A Glimpse into the Cyber Underworld: The Rise of BlackSuit
In an incident that underscores the growing menace of cybercrime, just over a year ago, Dallas was compelled to shut down its computer systems following a cyberattack. The attack, orchestrated by the Royal gang, forced Dallas firefighters to revert to manual methods for tracking emergencies. It took weeks to bring systems back online, and sensitive data of about 30,000 individuals was stolen.
Royal, a ferocious cybercriminal faction originally known as Zeon, is comprised of seasoned hackers, some of whom are former members of the infamous Conti group. This ecosystem of hacking groups is constantly in flux, with members frequently rebranding and merging into new entities. Shortly after the Dallas attack, Royal re-emerged as BlackSuit. Recently, BlackSuit has been implicated in cyberattacks against CDK Global, crippling computer systems at numerous car dealerships across North America.
BlackSuit has posted 96 victims on its dark web extortion page since its inception in May 2023. According to threat analyst Allan Liska from Recorded Future Inc., the actual number of victims is likely higher, as many unnamed entities opted to pay the demanded ransoms. This trend illustrates the grim reality of cybercrime; dissolving one group often leads to the formation of another, equally menacing one. Law enforcement agencies in the US, UK, and beyond have ramped up efforts, imposing sanctions and disabling computer infrastructures, but apprehending these cybercriminals remains challenging as many reside in countries that offer them sanctuary.
Who is BlackSuit?
BlackSuit remains an enigmatic and discreet group, described by Liska and others as businesslike rather than flamboyant. Distinct from other hackers who seek public attention, BlackSuit operates under the radar. The gang's ransom demands typically range from $300,000 to $5 million, with a willingness to negotiate. Shane Sims, CEO of Kivu Consulting, which has probed several BlackSuit breaches this year, mentions that the group employs a "double extortion" strategy. This involves both locking companies' systems with ransomware and stealing data to threaten its sale or leak.
BlackSuit's entry tactics include phishing and using stolen or sold login credentials found on the dark web. They are adept at "social engineering," or manipulating individuals into divulging information useful for network infiltration. For instance, during the CDK attack, hackers impersonated employees to deceive customers into granting system access.
Speed and Precision
BlackSuit operates with alarming speed and efficiency. Dustin Childs from Trend Micro’s Zero Day Initiative highlights that the group has stolen significant data—comparable to the size of about 40 DVDs—in under two hours. The majority of their victims, about 70%, are based in the US, with others primarily in the UK and Canada.
One particularly striking case involved BlackSuit stealing data and blocking access to all files on a company’s devices. The hackers communicated in fluent American English and provided detailed ransom negotiation instructions on the dark web. The company, eventually yielding to the pressure, paid less than $1 million to restore their data.
Historical Roots
Tracing BlackSuit’s lineage, researchers connect it to Royal, which has ties to Conti, a notorious Russian-based gang responsible for significant breaches, including attacks on Ireland’s Health Service and Costa Rica’s government. The FBI's estimates from January 2022 state that Conti's malware was used in over 1,000 attacks, raking in $180 million in ransoms during 2021 alone. Royal demanded over $275 million from at least 350 victims in recent years. Dallas was among Royal’s final targets before it transitioned to BlackSuit. The city’s technology team was forced into relentless six-week recovery efforts post-attack.
"This isn’t a group of kids in a basement," stressed Brian Gardner, Dallas’s Chief Information Officer. "This is real." The cybercrime landscape is evolving, with sophisticated and organized groups like BlackSuit embodying a formidable threat.