Skip to content
Ransomware group Windows

BlackSuit

BlackSuit is a Windows ransomware family and criminal operation closely tied to Royal and the broader Conti lineage.

Profile source: Mallory opens in a new tab

BlackSuit

Family profile

BlackSuit is a Windows ransomware family and criminal operation closely tied to Royal and the broader Conti lineage. It emerged as a new encryptor associated with the Royal gang and is widely assessed as either a Royal rebrand, a parallel locker used by the same operators, or a direct successor within the same ecosystem. Reporting consistently places BlackSuit alongside former Conti and Royal personnel, and some tracking describes it as a Conti spinoff or descendant.

BlackSuit is used in enterprise-targeted intrusions that combine data theft and file encryption for extortion. Observed tradecraft includes credential theft, lateral movement with PsExec and Remote Desktop, abuse of legitimate administrative tools, and pre-encryption disruption of defenses through endpoint-security killing tools and malicious drivers. Operators linked to BlackSuit have also been associated with remote-access tooling, network reconnaissance, and exfiltration prior to encryption. Like Royal, BlackSuit has been observed deleting shadow copies to inhibit recovery.

Initial access associated with the broader BlackSuit/Royal activity includes phishing-derived access chains, compromised remote services, brute-forced RDP, exploitation of public-facing applications, and social-engineering operations in which victims are bombarded with email and then contacted by impersonated help-desk personnel over Microsoft Teams or voice calls to persuade them to install remote-access software. BlackSuit-related intrusions have also been linked to clustered ransomware tradecraft shared with other major families, suggesting affiliate crossover, tool sharing, or operational collaboration across the ransomware ecosystem.

BlackSuit has affected organizations across multiple sectors and has been prominent enough to appear regularly in incident-response and ransomware-prevalence reporting. Its operational profile reflects a mature big-game ransomware model focused on full-network compromise, data exfiltration, and high-impact extortion against enterprise victims.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • AccountRestore
  • Mimikatz
  • NirSoft Dialupass
  • NirSoft IEPassView (iepv)
  • NirSoft MailPassView
  • NirSoft Netpass
  • NirSoft RouterPassView

Defense Evasion

  • Eraser
  • GMER
  • Inno Setup
  • PowerTool
  • VirtualBox

Discovery Enum

  • AdFind
  • Advanced IP Scanner
  • SharpHound
  • SharpShares
  • SoftPerfect NetScan

Exfiltration

  • 7-Zip
  • Bublup
  • RClone
  • Temp[.]sh

LOLBAS

  • NTDS Utility (ntdsutil)
  • PowerShell
  • PsExec
  • WMIC
  • attrib

Networking

  • Chisel
  • Cloudflared
  • OpenSSH

Offsec

  • Brute Ratel C4
  • Cobalt Strike
  • Rubeus

RMM Tools

  • AnyDesk
  • Atera
  • LogMeIn
  • MobaXterm

Ransomware.live

Published indicators

Full source record ↗

Ip

1 total
  • 104.244.75.168

Reported operators

Threat actors

7 named in public reporting
Storm-1811

Rapid7 disclosed that the initial infiltration strategy used by BlackBasta after the February 2025 internal chat leak was identified in the BlackSuit ransomware group: email bombing followed by impersonating helpdesk staff and contacting them via Microsoft Teams and voice calls to trick them into installing remote access tools such as Quick Assist, AnyDesk, and ScreenConnect.

Storm-0569

A threat actor group that Microsoft designated as DEV-0569 (now Storm-0569) used a very similar technique in late 2022 to deploy Royal ransomware.

DEV-0569

A threat actor group that Microsoft designated as DEV-0569 (now Storm-0569) used a very similar technique in late 2022 to deploy Royal ransomware.

Conti

"Royal ransomware is following in the same path, a new variant targeting Linux systems emerged... Royal’s Linux counterpart also targets ESXi servers"; "In its early campaigns, Royal deployed BlackCat’s encryptor, but later shifted to its own called Zeon".

Black Suit

“…BlackSuit ransomware actors breached CDK Global… strongly suggesting it is rebranding of Royal ransomware.”

Stern

...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.

MITRE ATT&CK

BlackSuit in ATT&CK

37 distinct techniques

Reporting

Research mentioning BlackSuit

Jul 14
Chainalysis

“Stern” Ransomware Operator Sanctioned by EU

As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

Blacksuit4

Jul 10
Threataft

Ransomware Gangs Use PsExec + NirSoft to Own Your Network Before You Notice | ThreatAft

The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.

Jun 24
Trm Labs

How CoinEx Became Iran's Primary Gateway to Global Cryptocurrency Markets | TRM Labs

Other high-risk interactions include approximately USD 41.5 million linked to now-defunct Russian exchange Garantex, approximately USD 51.2 million associated with wallets connected to the September 2023 CoinEx hack, USD 2.4 million tied to BlackSuit ransomware, and roughly USD 3.4 million involving the Wasabi mixing service.

May 19
Trellix

Analysis of Black Basta Ransomware Chat Leaks

...from the BlackSuit/Royal ransomware group (a Conti spinoff)...

May 7
The Record Media

Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

The Chaos ransomware operation has existed since February 2025 and cybersecurity experts believe it was created by former members of the now-defunct BlackSuit and Royal ransomware groups.

May 6
Cyber Security News

Member of Prolific Russian Ransomware Group Sentenced to 102 Months in Prison

the syndicate operated under several prominent ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira

May 5
Cyberscoop

Latvian national sentenced for ransomware attacks run by former Conti leaders | CyberScoop

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.