From some internal rumblings, Royal might be looking to pull a quick name change in hopes of avoiding some of the heat from the Dallas attack. This has not been confirmed but given how quickly organizations can compost and rebuild operations (it is a target rich environment) it is not out of the realm of possibility that they are looking for a reimaging or reboot. It is with this in mind that we turn our attention to BlackSuit.
First identified in May, the new branded encryptor found in the BlackSuit campaign shares a lot in common with Royal. This has led a few researchers to think this might be the direction that Royal was looking to go. The expected rebranding has not materialized yet, but the Royal group has been seen leveraging the BlackSuit encryptor along with their more normal offering.
Royal is an interesting mix of talent and while large (as organizations go) they tend to operate in small groups of around 5. Royal is a very active and sophisticated group. They tend to develop their own loaders and deploy very effective encryptors in their campaigns. Seeing BlackSuit show up might just be them adding another weapon on their arsenal. We know that they will switch loaders when needed or when they feel they have run their course, we could just be seeing the next iteration of their toolset in BlackSuit.
As ransomware groups, private and professional, are showing an even greater level of sophistication, it is time for the defenders to shake things up. Doing what we have always done is not going to protect against any of the evolving threats out there. Attackers know “what we’ve always done” so they can anticipate this. New and creative thought processes around d security need to be employed to prevent these attacks.