An analysis of the Linux variant of a new ransomware family called BlackSuit has revealed significant similarities to another ransomware family named Royal.
Analysis of Royal by Trend Micro
Trend Micro, which has reviewed an x64 VMware ESXi version targeting Linux machines, said it has identified an “extremely high degree of similarity” between Royal and BlackSuit.
“In fact, they are nearly identical, with 98% similarity in functions, 99.5% similarity in blocks, and 98.9% similarity in jumping based on BinDiff, a comparison tool for binaries,” they have made known Trend Micro researchers.
A comparison with its counterparts running on Windows identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in BinDiff-based hopping.
BlackSuit came to light for the first time at the beginning of May 2023 when Palo Alto Networks Unit 42 called attention to its ability to target both Windows and Linux systems.
In line with other ransomware groups, it employs a dual extortion scheme that steals and encrypts sensitive data on a compromised network in exchange for monetary compensation. Data associated with a single victim was listed on his dark web escape site.
Trend Micro’s latest findings show that both BlackSuit and Royal use OpenSSL’s AES for encryption and use similar intermittent encryption techniques to speed up the encryption process.
Aside from the overlaps, BlackSuit embeds additional command line arguments and avoids a different list of files with specific extensions during enumeration and encryption.
“The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the authors themselves, an impersonator using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family,” said Trend Micro.
Whereas Royal it is a branch conceived by the team Accountsit is also possible that “BlackSuit emerged from a dissident group within the original Royal ransomware gang” the cybersecurity company theorized.
The development once again underlines the state constant flow in the ransomware ecosystemeven as new bad guys emerge to change existing tools and generate illicit profits.
It does not end here
Also among the merry bunch of malware is a new ransomware-as-a-service initiative (RaaS) baptised NoEscape which, according to Cyble, allows its operators and affiliates to exploit triple extortion methods to maximize the impact of a successful attack.
Triple extortion refers to particular type of approach in which data capture and encryption are coupled with distributed denial-of-service attacks (DDoS) against the targets in an attempt to disrupt their business and force them to pay the ransom.
The DDoS service, according to Cyble, is available for an additional fee of $500,000, with operators imposing conditions that prohibit affiliates from targeting entities located in Commonwealth of Independent Nations (CIS) countries, but we are obviously talking about roundabout and obviously not legitimate ways, using VPNs such as TOR to access the deep web.
#Royal #malware #variant #targets #Linux