Origins and the Royal Connection
BlackSuit is not a new operation — it is a rebranding and continuation of the Royal ransomware group, which itself emerged from the dissolution of Conti in 2022. The lineage matters for understanding BlackSuit’s capabilities: the group has been operationally mature since its Conti-era roots, and the rebrand was driven by law enforcement attention rather than any operational weakness.
Royal ransomware operated from September 2022 and quickly established itself as one of the more prolific and technically capable groups of that period. CISA and the FBI published a joint advisory in March 2023 identifying Royal as a significant threat to critical infrastructure, noting over 350 known victims and ransom demands ranging from $1 million to over $11 million.
In mid-2023, Royal began testing a new encryptor branded BlackSuit in limited deployments. By late 2023, Royal had largely ceased operations under that name, with the same infrastructure, toolset, and apparent affiliate relationships continuing under BlackSuit. FBI analysis confirmed the operational continuity: the BlackSuit ransomware binary shares significant code overlap with Royal, including the partial encryption approach and ESXi targeting capability.
Technical Capabilities
Encryptor: BlackSuit maintains Royal’s distinctive partial encryption approach. Rather than encrypting entire files, the encryptor encrypts a configurable percentage of file content — sufficient to render files unusable but faster than full encryption, reducing the time window for detection and response before encryption completes. This technique was novel when Royal introduced it and has since appeared in other operations, but BlackSuit’s implementation is particularly well-optimised.
Cross-platform support: BlackSuit deploys separate encryptors for Windows and Linux/VMware ESXi environments. The ESXi variant targets hypervisor infrastructure directly, enabling simultaneous encryption of all virtual machines hosted on a compromised ESXi host — one of the highest-impact single actions available to ransomware operators.
BYOVD capability: BlackSuit affiliates have been observed using Bring Your Own Vulnerable Driver techniques to disable endpoint detection and response tools prior to encryption. The technique uses a legitimately signed but vulnerable kernel driver to execute kernel-mode code that terminates EDR agent processes and disables their protection.
Initial access methods: Unlike some operations with a narrower initial access profile, BlackSuit affiliates use multiple vectors: phishing with malicious attachments, exploitation of public-facing vulnerabilities (particularly in VPN and remote access appliances), and purchased initial access from brokers. The flexibility reflects the inherited affiliate network’s varied capabilities.
Intrusion Pattern
Documented BlackSuit intrusions follow a consistent pattern that reflects the group’s penetration-tester approach to network exploitation:
Initial access and persistence: Phishing or VPN exploitation provides the foothold. The affiliate establishes persistence via scheduled tasks or services before proceeding with reconnaissance.
Credential harvesting: Mimikatz or similar tooling is used to dump credentials from memory. LSASS dumping is a consistent technique. The objective is domain administrator credentials enabling lateral movement.
Reconnaissance and lateral movement: ADFind or similar tools enumerate Active Directory to identify high-value targets: backup servers, domain controllers, ESXi hosts. Lateral movement proceeds via legitimate administrative tools — PsExec, WMI, RDP — using the harvested credentials.
Exfiltration before encryption: BlackSuit is a double-extortion operation. Data is exfiltrated to attacker-controlled infrastructure before encryption using tools including Rclone and MEGAsync. This typically occurs over days to weeks of dwell time.
Backup disruption: Before deploying the encryptor, affiliates identify and destroy or encrypt backup infrastructure. Volume Shadow Copies are deleted. Backup server access is used to destroy backup data. This ensures recovery without payment is not viable.
Encryption deployment: The encryptor is deployed via Group Policy, PsExec, or remote service installation across the domain simultaneously. ESXi encryption is deployed separately. The combination typically takes down the entire enterprise environment within hours.
Sector Targeting
BlackSuit’s targeting reflects the inherited Royal targeting strategy: sectors with high operational dependency on IT systems and significant pressure to pay to restore operations.
Healthcare has been the highest-profile sector. The disruption to patient care from healthcare ransomware incidents — cancelled surgeries, diverted emergency patients, access loss for medical records — creates maximum pressure on operators. BlackSuit has been attributed to several significant healthcare incidents in the US and UK.
Education — particularly universities — is targeted for a combination of factors: typically large attack surfaces, heterogeneous IT environments with varying security maturity, and sufficient resources to pay meaningful ransoms.
Critical infrastructure is a recurring target, consistent with Royal’s profile. CISA advisories on both Royal and BlackSuit identify energy, water, and manufacturing as sectors at elevated risk.
Government entities — primarily US state and local government — appear in incident attributions. The operational impact on government service delivery creates payment pressure comparable to healthcare.
Data Leak Site and Extortion
BlackSuit operates a Tor-based data leak site where victim data is published if ransom payment is not made. The site structure mirrors other professional ransomware operations: a victim list, countdown timers, and partial data previews designed to pressure victims.
The negotiation process is handled through a dedicated Tor-accessible portal provided to victims in the ransom note. Negotiations are conducted in English and are typically handled by actors with apparent experience in the process — another indicator of the inherited Royal operational structure.
Detection and Response Indicators
Key artefacts from documented BlackSuit incidents:
- EDR-disabling BYOVD: Look for kernel driver loading events, particularly for known vulnerable drivers (check LOLDrivers.io against loaded drivers)
- Credential dumping: LSASS access events, particularly from processes that do not normally access LSASS
- Backup targeting: Unusual access to backup server admin interfaces;
vssadmin delete shadowsexecution - Rclone and MEGAsync: Both tools appearing on enterprise hosts outside of known legitimate use cases should trigger investigation
- Encryptor deployment: Simultaneous file rename events across multiple hosts with
.blacksuitextension appended
The dwell time before encryption — typically days to weeks — is the detection opportunity. Organisations monitoring for credential dumping, backup access anomalies, and large data egress have the best chance of detecting an intrusion before encryption begins.
Current Operational Status
As of mid-2026, BlackSuit remains active. The operation has maintained a consistent victim rate since its emergence, appearing in incident attribution from multiple IR firms. No significant law enforcement disruption has been publicly attributed to the group, and the operational infrastructure shows no signs of wind-down.
The inherited Royal/Conti expertise means BlackSuit affiliates are typically more technically capable than commodity ransomware operators. Incidents attributed to the group tend to involve deeper network penetration and more comprehensive encryption than many contemporaries.