Credential Theft
- AccountRestore
- Mimikatz
- NirSoft Dialupass
- NirSoft IEPassView (iepv)
- NirSoft MailPassView
- NirSoft Netpass
- NirSoft RouterPassView
BlackSuit is a Windows ransomware family and criminal operation closely tied to Royal and the broader Conti lineage.
Profile source: Mallory opens in a new tabBlackSuit
BlackSuit is a Windows ransomware family and criminal operation closely tied to Royal and the broader Conti lineage. It emerged as a new encryptor associated with the Royal gang and is widely assessed as either a Royal rebrand, a parallel locker used by the same operators, or a direct successor within the same ecosystem. Reporting consistently places BlackSuit alongside former Conti and Royal personnel, and some tracking describes it as a Conti spinoff or descendant.
BlackSuit is used in enterprise-targeted intrusions that combine data theft and file encryption for extortion. Observed tradecraft includes credential theft, lateral movement with PsExec and Remote Desktop, abuse of legitimate administrative tools, and pre-encryption disruption of defenses through endpoint-security killing tools and malicious drivers. Operators linked to BlackSuit have also been associated with remote-access tooling, network reconnaissance, and exfiltration prior to encryption. Like Royal, BlackSuit has been observed deleting shadow copies to inhibit recovery.
Initial access associated with the broader BlackSuit/Royal activity includes phishing-derived access chains, compromised remote services, brute-forced RDP, exploitation of public-facing applications, and social-engineering operations in which victims are bombarded with email and then contacted by impersonated help-desk personnel over Microsoft Teams or voice calls to persuade them to install remote-access software. BlackSuit-related intrusions have also been linked to clustered ransomware tradecraft shared with other major families, suggesting affiliate crossover, tool sharing, or operational collaboration across the ransomware ecosystem.
BlackSuit has affected organizations across multiple sectors and has been prominent enough to appear regularly in incident-response and ransomware-prevalence reporting. Its operational profile reflects a mature big-game ransomware model focused on full-network compromise, data exfiltration, and high-impact extortion against enterprise victims.
Ransomware.live
Ransomware.live
104.244.75.168Reported operators
Rapid7 disclosed that the initial infiltration strategy used by BlackBasta after the February 2025 internal chat leak was identified in the BlackSuit ransomware group: email bombing followed by impersonating helpdesk staff and contacting them via Microsoft Teams and voice calls to trick them into installing remote access tools such as Quick Assist, AnyDesk, and ScreenConnect.
A threat actor group that Microsoft designated as DEV-0569 (now Storm-0569) used a very similar technique in late 2022 to deploy Royal ransomware.
A threat actor group that Microsoft designated as DEV-0569 (now Storm-0569) used a very similar technique in late 2022 to deploy Royal ransomware.
"Royal ransomware is following in the same path, a new variant targeting Linux systems emerged... Royal’s Linux counterpart also targets ESXi servers"; "In its early campaigns, Royal deployed BlackCat’s encryptor, but later shifted to its own called Zeon".
...BlackSuite Ransomware Gang...
“…BlackSuit ransomware actors breached CDK Global… strongly suggesting it is rebranding of Royal ransomware.”
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
MITRE ATT&CK
Reporting
As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.
Blacksuit4
The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.
Other high-risk interactions include approximately USD 41.5 million linked to now-defunct Russian exchange Garantex, approximately USD 51.2 million associated with wallets connected to the September 2023 CoinEx hack, USD 2.4 million tied to BlackSuit ransomware, and roughly USD 3.4 million involving the Wasabi mixing service.
...from the BlackSuit/Royal ransomware group (a Conti spinoff)...
The Chaos ransomware operation has existed since February 2025 and cybersecurity experts believe it was created by former members of the now-defunct BlackSuit and Royal ransomware groups.
the syndicate operated under several prominent ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.