Correlation between BlackSuit and Royal

This week, GLIMPS’ CTI team had the opportunity to analyze a new ransomware: BlackSuit. Thanks to GLIMPS Malware’s datasets functionality we were able to highlight the correlation between BlackSuit & Royal (the latter being very present in recent weeks).

By keeping abreast of current event, the CTI team was able to build up a dataset containing several strains of the Royal ransomware family. It serves as a reference for this family, and is continually updated as new strains appear.

1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e

This file was identified by GLIMPS Malware as malicious.

The deep engine analysis indicates that this sample includes functions used in binaries from the Royal family.

This link between BlackSuit and Royal is highlighted by the GLIMPS Malware analysis platform.

A study of strings shows that the ransom note is called README.BlackSuit.txt and that the link contained in it points to the attackers’ storefront belonging to BlackSuit.

It’s hard to say wHether this is a new family, but there are several possible explanations. Is it a source code leak ? Is it a conflict between the players ? Or is it simply a variant ? GLIMPS Malware has however, been able to show a link between these two families.

Do not hesitate to contact us for more information: contact@glimps.re