BlackSuit Ransomware: The Complete Guide

BlackSuit ransomware is a type of malware that is known to target both Windows and Linux users and prevents victims from accessing their files by encrypting them. You can usually identify this ransomware because BlackSuit appends the “.blacksuit” extension to filenames and changes the desktop wallpaper, creates a ransom note called “README.BlackSuit.txt”, and renames files.

The BlackSuit ransom note will make several claims, most notably that essential files have been encrypted and stored on a secure server, and therefore, any financial reports, intellectual property, personal files, and other sensitive data have been compromised. BlackSuit also has a data leak site as part of its double extortion strategy to coerce victims into paying the ransom demand.

What kind of malware is BlackSuit?

BlackSuit is a ransomware, a type of malware that encrypts files on a victim’s system and demands payment in exchange for the decryption key.

Once the ransomware infects a system, it uses the FindFirstFileW() and FindNextFileW() API functions to enumerate the files and directories and initiate the encryption process. BlackSuit ransomware uses the Advanced Encryption Standard (AES) algorithm to encrypt files. The AES algorithm is a symmetric encryption algorithm that is widely used for encrypting data. BlackSuit ransomware uses OpenSSL’s AES for encryption and leverages similar intermittent encryption techniques for fast and efficient encryption of victim files.

BlackSuit ransomware targets both Windows and Linux operating systems users. The ransomware drops the ransom note named “README.BlackSuit.txt” in every directory it traverses. After encrypting the files, it renames them by appending the “.BlackSuit” extension

Everything we know about BlackSuit Ransomware

Confirmed Name

• BlackSuit virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

•  .blacksuit

Ransom Demanding Message

• README.BlackSuit.txt

Detection Names

• Avast Win32:Malware-gen
• Kaspersky HEUR:Trojan-Ransom.Win32.Generic
• Sophos Mal/Generic-S (PUA)
• Microsoft Ransom:Win32/BlackSuit.B

Distribution methods

• Infected email attachments (macros)
• Torrent websites
• Malicious ads
• Trojans

Consequences

• Files are encrypted and locked until the ransom payment
• Data leak
• Double extortion

Windows Variant

• The 32-bit Windows variants of BlackSuit and Royal ransomware families share a 93.2% similarity in functions, 99.3% similarity in basic blocks, and 98.4% in jumps based on BinDiff.
• BlackSuit and Royal use OpenSSL’s AES for encryption and leverage similar intermittent encryption techniques.

Linux Variant

• The Linux variant of the BlackSuit ransomware is a 64-bit ELF executable compiled with GCC with sha256 as 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e.
• The Linux variants of Royal and BlackSuit share 98% similarity in function, 99.5% similarity in blocks, and 98.9% similarity in jumps based on the BinDiff comparison tool.

Is There a Free Decryptor Available?

No. There is no known public decryptor for BlackSuit ransomware available at this time.

What are BlackSuit ransomware’s IOCs?

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

BlackSuit ransomware infection may not show any noticeable symptoms until the ransom notification appears. However, here are some symptoms that may indicate a BlackSuit ransomware infection:

• Files cannot be opened or accessed, and their names have been changed to include the “.blacksuit” extension.
• The desktop wallpaper has been changed.
• A ransom note called “README.BlackSuit.txt” is present in every directory.
• The ransom note claims that essential files have been encrypted and stored on a secure server, and that financial reports, intellectual property, personal files, and other sensitive data have been compromised.
• The victim may receive a message demanding payment in exchange for the decryption key.

If any of these symptoms are present, it is recommended to take immediate action to prevent further damage and loss of data. Contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

What is in the BlackSuit ransom note

The ransom note generated by BlackSuit ransomware is called “README.BlackSuit.txt” and is dropped in every directory it traverses. The note contains a message from the attackers claiming that essential files have been encrypted and stored on a secure server. The note also mentions that financial reports, intellectual property, personal files, and other sensitive data have been compromised. The attackers demand a ransom payment in exchange for the decryption key.

Overall, the tone of the BlackSuit ransom note is designed to create a sense of urgency and fear in the victim, compelling them to comply with the attackers’ demands.

Sample of the BlackSuit ransom note:

How does BlackSuit ransomware spread

Common ways that BlackSuit ransomware can infect a system:

Infected email attachments (macros)

• Cybercriminals may distribute BlackSuit ransomware through email attachments that contain infected links or macros.
• Users who open these attachments or enable macros can inadvertently trigger the execution of the ransomware on their system.

Torrent websites

• BlackSuit ransomware can be embedded into torrent files, which are commonly used for downloading and sharing files through peer-to-peer networks.
• When users download and open these infected torrent files, their systems can become infected with the ransomware.

Malicious ads

• Malicious ads, also known as malvertising, can be used as a method to distribute BlackSuit ransomware.
• Users who click on these ads may be redirected to websites that automatically download and install the ransomware on their system.

Trojans

• BlackSuit ransomware can be delivered through Trojans, which are malicious programs that can download and install other types of malware, including ransomware.
• Trojans can be distributed through various means, such as phishing emails, fake software updates, or compromised websites

How does BlackSuit ransomware work?

BlackSuit ransomware is a type of malware that operates as a ransomware threat, preventing victims from accessing their files by encrypting them. It is important to note that the specific behavior and functionality of BlackSuit ransomware may vary across different versions or variants.

Here is a description of how BlackSuit ransomware typically works:

Distribution

BlackSuit ransomware is distributed through various methods, including infected email attachments, torrent websites, malicious ads, and Trojans.

Execution

Once the ransomware infects a system, it initiates the encryption process. It uses the FindFirstFileW() and FindNextFileW() API functions to enumerate the files and directories on the system.

Encryption

BlackSuit ransomware uses a strong cryptographic algorithm, such as the Advanced Encryption Standard (AES), to encrypt the targeted file types. The encrypted files are modified by appending the “.blacksuit” extension to their original names.

Ransom note

After encrypting the files, BlackSuit ransomware drops a ransom note named “README.BlackSuit.txt” in every directory it traverses. The ransom note serves as a communication from the attackers, demanding a ransom payment in exchange for the decryption key.

Desktop wallpaper change

BlackSuit ransomware also alters the desktop wallpaper of the infected system, displaying a message or image related to the ransomware attack.

Data loss and extortion

The encrypted files become inaccessible and unusable without the decryption key. The attackers may threaten to leak or sell the compromised data if the ransom is not paid.

Do not pay the ransom! Victims of BlackSuit ransomware attacks are advised to report the incident to law enforcement and seek the assistance of a reputable cybersecurity professional.

How to handle a BlackSuit ransomware attack

Important: The first step after identifying BlackSuit IOCs is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.

To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by disconnecting it from the internet and removing any connected device.

Simultaneously this team will assist you in contacting your country’s local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3). To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with the ransomware actors (if you have them)
• A sample of an encrypted file

However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.

Restarting or shutting down the system may compromise the recovery process. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.

What NOT to do to recover from a BlackSuit ransomware attack

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contacting your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they will care for everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.

Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the BlackSuit ransomware. Also, these services can patch your system, preventing new ransomware attacks.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent BlackSuit ransomware from attacking your network again.

Contact our experts 24/7 for emergency recovery service.

Prevent a ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. BlackSuit ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Use reliable antivirus software. Install and regularly update reputable antivirus software on your system. This can help detect and block known ransomware threats, including BlackSuit.
• Exercise caution with email attachments. Be cautious when opening email attachments, especially if they come from unknown or suspicious sources. Avoid opening attachments that you were not expecting or that seem suspicious.
• Be wary of suspicious links. Avoid clicking on suspicious links, especially in emails, pop-up ads, or on unfamiliar websites. These links may lead to malicious websites that can distribute ransomware like BlackSuit.
• Keep your operating system and software up to date. Regularly update your operating system, web browsers, and other software applications. Software updates often include security patches that can help protect against known vulnerabilities that ransomware may exploit.
• Enable automatic updates. Enable automatic updates for your operating system and software applications. This ensures that you receive the latest security patches and updates without manual intervention.
• Back up your files regularly. Regularly backup your important files to an external hard drive, cloud storage, or another secure location. In the event of a ransomware attack, having backups can help you restore your files without having to pay the ransom.
• Educate yourself and your employees. Educate yourself and your employees about safe online practices, such as avoiding suspicious downloads, being cautious with email attachments, and recognizing phishing attempts. Awareness and vigilance can go a long way in preventing ransomware infections.

By following these preventive measures, you can reduce the risk of BlackSuit ransomware infecting your system and protect your files from being encrypted.