Royal Ransomware rebrands as BlackSuit, demands over $500 million in ransom, FBI and CISA confirm

The CISA and FBI have confirmed that the Royal ransomware has rebranded as BlackSuit, demanding over $500 million from victims since its emergence over two years ago. Initially operating under the name Quantum ransomware in January 2022, the group transitioned to using the Royal moniker in September 2022.

The FBI and CISA advisory reveals that the group started deploying their own Zeon encryptor, later rebranding to BlackSuit after attacking Dallas in June 2023. BlackSuit shares many similarities with Royal and has improved capabilities. Since September 2022, BlackSuit has targeted over 350 organisations, demanding over $275 million in ransoms, with individual demands ranging from $1 million to $10 million, paid in Bitcoin. The agencies have shared indicators of compromise and tactics to help organisations defend against these attacks, highlighting BlackSuit’s role in significant disruptions, including a recent attack on CDK Global, impacting over 15,000 car dealerships across North America.

Interpol recovers over $40 Million in largest ever BEC scam recovery

Interpol’s global stop-payment mechanism, known as I-GRIP, successfully recovered over $40 million stolen in a Business Email Compromise (BEC) attack on a Singapore-based company. This marks the largest recovery of funds stolen through a BEC scam. BEC scams involve cybercriminals redirecting legitimate corporate payments to attacker-controlled accounts by compromising a company's email address. Once the funds are transferred, criminals quickly move the money through various accounts to obscure their trail.

In this case, the Singapore firm received a fraudulent email, seemingly from a supplier, requesting a payment to a new bank account. The firm wired $42.3 million to the attacker-controlled account but realised the scam four days later. Interpol, in collaboration with authorities in Timor Leste, managed to recover $39 million, and further investigations led to the arrest of seven suspects and the recovery of an additional $2 million. Since its launch in 2022, I-GRIP has recovered over $500 million globally.

Ransomware surge in 2024 as attacks intensify with more groups and rising data leaks

The ransomware threat has grown more severe in 2024, with increased attacks, more groups involved, and a rise in data leaks and leak sites. Rapid7’s Ransomware Radar Report 2024 highlights this troubling trend, revealing that the number of ransomware attacks has surged, with over 2,500 incidents tracked in the first half of 2024 alone. This equates to more than 14 publicly claimed attacks every day, though the true figure could be much higher.

The report notes that ransomware attacks in 2023 reached unprecedented levels, but 2024 is on track to surpass this, with leak site postings increasing from an average of 24 per month in early 2023 to 40 per month in the first half of 2024.

Rapid7’s analysis focuses on the top 20 most active ransomware groups, showing that smaller companies, with around $5 million in annual revenue, are increasingly targeted. The shift towards double extortion—encrypting data and threatening to leak it—has become the norm in these attacks.

Massive data breach potentially exposed personal information of nearly 3 Billion People

In April, a massive data breach potentially exposed the personal information of nearly three billion people, according to a lawsuit against Jerico Pictures Inc., which operates as the background check company National Public Data. This staggering breach, which could affect more than a third of the world’s population, was first reported by Bloomberg Law.

The hacking group USDoD allegedly uploaded a 277GB database titled "National Public Data" to the dark web on April 8. This database, available for $3.5 million, is said to contain sensitive information such as Social Security numbers, home addresses, full legal names, and ancestry data.

The lawsuit, brought by California resident Christopher Hofmann, demands compensation, deletion of the collected data, and stronger data protection measures, including encryption. The breach, if confirmed, would be one of the largest in history, comparable to the 2013 Yahoo! breach that also affected three billion people. Experts recommend seeking professional services for protection, given the scale and sensitivity of the exposed data.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.