Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue.
Read more…
Source: Trend Micro
Related:
- Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
August 20, 2025
Organizations continue to grapple with increasingly complex cyberthreats, as ransomware groups rapidly evolve their tactics. In a recent attack wave, the Warlock ransomware group exploited internet-exposed, unpatched on-premise Microsoft SharePoint servers, abusing newly discovered vulnerabilities to gain initial access to their target’s system. Other groups such as Linen Typhoon and Violet Typhoon have also been observed ...
- A clever new Linux malware is breaking into systems and then shutting the door behind it to avoid detection
August 19, 2025
A hacker was recently spotted patching someone’s vulnerable cloud Linux instance – but they did not do it out of the goodness of their heart. Security researchers Red Canary observed a threat actor abusing a maximum severity flaw, tracked as CVE-2023-46604, to break into a cloud Linux system. The vulnerability is found in Apache ActiveMQ, and ...
- Pharma giant Inotiv hit by ransomware attack, says operations were affected
August 19, 2025
Inotiv, an American pharmaceutical and biotech company, has confirmed it has suffered a ransomware attack which forced it to shut down parts of its IT infrastructure. In a report filed with the US Securities and Exchange Commission (SEC), the company said it spotted the attack on August 8, 2025. The initial investigation determined that someone broke ...
- Deep dive into CVE‑2025‑29824 in Windows
August 19, 2025
On April 8, 2025, Microsoft patched 121 vulnerabilities across its products, including CVE-2025-29824—the only one known to be exploited in the wild. This particular flaw enabled adversaries to escalate Windows privileges by leveraging a bug in the clfs.sys driver. Microsoft Threat Intelligence discovered the issue during the Storm-2460 attacks targeting organizations in Saudi Arabia, Spain, Venezuela, ...
- GodRAT – New RAT targeting financial institutions
August 19, 2025
In September 2024, Kaspersky researchers detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers ...
- Cisco warns of worrying major security flaw in firewall command center – patch now
August 18, 2025
Cisco recently fixed a maximum-severity vulnerability in its Secure Firewall Management Center (FMC) product, and urged users to apply either the patch, or the mitigation, as soon as possible. FMC is a centralized platform for configuring, monitoring, and analyzing Cisco Secure Firewalls, where users can manage policies, track threat intelligence, and monitor their deployments across endpoints. ...