Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue.
Read more…
Source: Trend Micro
Related:
- Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure
December 3, 2025
An Iranian-aligned hacking group tracked as ‘MuddyWater’ has dramatically shifted tactics in attacks against Israeli and Egyptian critical infrastructure. Previous campaigns by the group, observed by ESET Research, were characteristically noisy in their tactics, techniques, and procedures (TTPs) making them easily detectable. However, the group has begun employing a new backdoor deployed via the Fooder loader, ...
- Fintech firm Marquis alerts dozens of US banks and credit unions of a data breach after ransomware attack
December 3, 2025
Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year. Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack. Texas-based Marquis is a marketing and compliance ...
- Attackers have a new way to slip past your MFA
December 3, 2025
Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token. Researchers are warning about a rise in cases where this method is used against educational institutions. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real website, relaying the genuine sign-in ...
- A data breach at analytics giant Mixpanel leaves a lot of open questions
December 2, 2025
A cybersecurity incident at analytics provider Mixpanel announced just hours before the U.S. Thanksgiving holiday weekend could set a new standard for how not to announce a data breach. To recap: In a bare bones blog post last Wednesday, Mixpanel chief executive Jen Taylor announced that the company had detected an unspecified security incident on November ...
- Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
December 2, 2025
Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in Trend Micro previously published research on the SORVEPOTEL malware and the broader Water Saci campaignopen on a new tab, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social ...
- Google patches 107 Android flaws, including two being actively exploited
December 2, 2025
Google has patched 107 vulnerabilities in Android in its December 2025 Android Security Bulletin, including two high-severity flaws that are being actively exploited. The December updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, but that doesn’t always mean the patches ...