Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius.
Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue.
Read more…
Source: Trend Micro
Related:
- DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework
November 8, 2022
C&C systems are useful collaboration tools for penetration testers and red teamers. They provide a common place for all victim machines to reach out to, be controlled from, and allow multiple users to interact with the same victims. When performing authorized testing, this is very important as logs are kept in a single place to ...
- CISA Adds Seven Known Exploited Vulnerabilities to Catalog
November 8, 2022
CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added ...
- Massive Phishing Campaigns Target India Banks’ Clients
November 7, 2022
Trend Micro researchers observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a phishing link. The SMS content urges the victims to open the embedded phishing link or malicious app download page and follow the instructions: To fill in their personally identifiable information (PII) and ...
- Azov Ransomware is a wiper, destroying data 666 bytes at a time
November 7, 2022
The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs. Last month, a threat actor began distributing malware called ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files. However, instead of providing contact info to negotiate a ransom, ...
- China is likely stockpiling and deploying vulnerabilities, says Microsoft
November 7, 2022
Microsoft has asserted that China’s offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China’s 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability ...
- Greece: Report claims illegal surveillance software was used to spy on politicians, journalists and businessmen
November 5, 2022
Greece has been rocked by a ‘wiretapping’ scandal as a bombshell report claimed Prime Minister Kyriakos Mitsotakis ‘used state intelligence to spy on dozens of people including potential political rivals, journalists and businessmen’. Documento reported that the list of targets included former premier Antonis Samaras, current members of the cabinet and shipping magnate Vangelis Marinakis, owner ...

