Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue.
Read more…
Source: Trend Micro
Related:
- Nevada hit by cyber attack disrupting state services for thousands
August 27, 2025
A cyber attack targeting Nevada’s state technology systems has left thousands of residents without access to vital services for days, with many offices still struggling to restore full operations. The attack, which began early Sunday morning, forced the closure of numerous state agencies, including the DMV, State Police, and Attorney General’s offices on Monday and Tuesday. ...
- A critical Docker Desktop security flaw puts Windows hosts at risk of attack – patch now
August 26, 2025
Docker has patched a critical severity vulnerability in its Desktop app for Windows and macOS which could have allowed threat actors to fully take over vulnerable hosts, exfiltrate sensitive data, and more. The vulnerability is described as a server-side request forgery (SSRF) and, according to the NVD, it “allows local running Linux containers to access the ...
- Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data
August 26, 2025
A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories. Seyfullah Kiliç, founder of cybersecurity company SwordSec, said he found over 1,300 internet-exposed TeslaMate dashboards on the internet, likely made public by mistake, allowing anyone to ...
- Deception in Depth: PRC-nexus espionage campaign hijacks web traffic to target diplomats
August 25, 2025
This blog post presents Google Threat Intelligence Group (GTIG) findings and analysis of this espionage campaign, as well as the evolution of the threat actor’s operational capabilities. GTIG examine how the malware is delivered, how the threat actor utilized social engineering and evasion techniques, and technical aspects of the multi-stage malware payloads. In this campaign, the ...
- A new security flaw in TheTruthSpy phone spyware is putting victims at risk
August 25, 2025
A stalkerware maker with a history of multiple data leaks and breaches now has a critical security vulnerability that allows anyone to take over any user account and steal their victim’s sensitive personal data, TechCrunch has confirmed. Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of ...
- The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign
August 22, 2025
Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy.” The malware resurfaced this past July with new activity, this time targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, ...