{"id":52138,"date":"2023-05-31T00:00:00","date_gmt":"2023-05-31T00:00:00","guid":{"rendered":"urn:uuid:7cfb117e-3610-1825-272e-fe85940d15ad"},"modified":"2023-05-31T00:00:00","modified_gmt":"2023-05-31T00:00:00","slug":"investigating-blacksuit-ransomwares-similarities-to-royal","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/","title":{"rendered":"Investigating BlackSuit Ransomware\u2019s Similarities to Royal"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/blacksuit-976.png\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/blacksuit-976.png\" class=\"ff-og-image-inserted\"><\/div>\n<div readability=\"32\">\n<div readability=\"9\">\n<p>Its operators also set up a data leak site as part of their two-pronged extortion strategy to coerce victims into paying the ransom demand. Note that there is just a single victim currently listed on the leak site as of the time of writing.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"34.931506849315\">\n<div readability=\"18.630136986301\">\n<p>One of the BlackSuit ransomware samples we analyzed is an x64 ESXi version targeting Linux machines. An earlier <a href=\"https:\/\/twitter.com\/Arkbird_SOLG\/status\/1653893301412548611?s=20\">post on Twitter<\/a> revealed that YARA rules designed for BlackSuit\u2019s Linux variant matched samples of the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\">Royal ransomware Linux variant<\/a>.<\/p>\n<p>After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other. In fact, they\u2019re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"33\">\n<div readability=\"11\">\n<p>Further analysis found that BlackSuit employs command-line arguments that have a similar function to those used by Royal. However, there are some differences: The strings used in the arguments are different, with BlackSuit also including additional arguments not found in Royal.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32\">\n<p><h5>Table 1. A comparison of arguments for the Linux versions of BlackSuit and Royal<\/h5>\n<\/p><\/div>\n<div readability=\"32\">\n<div readability=\"9\">\n<p>Meanwhile, the <i>skip<\/i> argument is used to indicate a text file that contains a list of folders to be skipped.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32\">\n<div readability=\"9\">\n<p>During file enumeration and encryption, each respective ransomware family avoids files with the following extensions and filenames:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32\">\n<p><h5>Table 2. List of extensions and filenames skipped by both BlackSuit and Royal<\/h5>\n<\/p><\/div>\n<div readability=\"28.86\">\n<div readability=\"8.88\">\n<p>BlackSuit ransomware targets the following extensions if the <i>\u2013allfiles<\/i> argument is not provided:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">.vmem<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmdk<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.nvram<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmsd<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmsn<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmss<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmtm<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmxf<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmxf<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vmx<\/span><\/li>\n<\/ul>\n<p>The binaries for both BlackSuit and Royal use OpenSSL\u2019s AES for encryption and employ <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\">similar intermittent encryption techniques<\/a> to accelerate the encryption of the victim\u2019s files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"38\">\n<div readability=\"21\">\n<p>Both BlackSuit and Royal prepare the files for encryption by rounding up the file size to the nearest multiple of 16, after which 41 bytes are added, possibly to account for the encryption header and other metadata.<\/p>\n<p>Next, a check is performed for the file being encrypted to determine if it has a size that is greater than 0x40000h (approximately 262KB). If this condition is met, it will use the value set using <i>-percent<\/i>, which is represented here by the <i>i_ep<\/i> variable. If not, it will use the default, which is 100.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"33.5\">\n<div readability=\"12\">\n<p>The number of bytes to be used for intermittent encryption is then calculated using the same formula found in the Linux version of Royal ransomware:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"2\">\n<tr readability=\"4\">\n<td width=\"624\" valign=\"top\">\n<ul>\n<li><span class=\"blockquote\">N = (X\/10)*(Original File Size \/ 100) then round down to multiples of 16<br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Where X is the value of \u201c-percent\u201d<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The file size is again checked to calculate the amount of space to be allocated for the data and metadata. Finally, the keys to be used for encryption are prepared.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32.5\">\n<div readability=\"10\">\n<p>In the case of BlackSuit, as we previously mentioned, it appends the extension \u201c.blacksuit\u201d to encrypted files and drops a ransom note in the directory where the files are located.<i><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"34\">\n<div readability=\"13\">\n<p>In addition to the Linux-based sample, we also analyzed a Windows 32-bit version of BlackSuit, which also exhibits significant similarities with its Royal ransomware counterpart (93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"31\">\n<div readability=\"7\">\n<p>Our analysis found that BlackSuit accepts the following command-line arguments:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32\">\n<p><h5>Table 3. A comparison of arguments for the Win32 versions of BlackSuit and Royal<\/h5>\n<\/p><\/div>\n<div readability=\"39.5\">\n<div readability=\"24\">\n<p>While BlackSuit introduces different argument strings compared to Royal, their purpose remains similar. BlackSuit combines arguments from various Windows versions of Royal Ransomware, while also introducing new arguments such as &#8220;-delete&#8221; and &#8220;-list&#8221; that are specific to itself.<\/p>\n<p>The &#8211;<i>delete<\/i> argument uses the following command to continuously check for the existence of its file by looking for the filename:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1\">\n<tr readability=\"3\">\n<td width=\"624\" valign=\"top\" readability=\"5\">\n<p><span class=\"blockquote\">cmd \/v\/c &#8220;set f={Malware File Name}&amp;for \/l %l in () do if exist !f! (del \/f\/a &#8220;!f!&#8221;) else (exit)&#8221;<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>If the file is found, it is immediately deleted. The command keeps running indefinitely until the file is deleted, at which point the loop will exit.<\/p>\n<p>The <i>-list<\/i> argument is used to specify a text file containing target directories to encrypt. It loads the file using<i> ReadFileFAPI<\/i> then places the contents of the text file in a buffer. Note that the loaded text file is a sample text file we used for testing and not the format of the text file that will be loaded in an actual attack.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"35.5\">\n<div readability=\"16\">\n<p>if <i>\u2013disablesafeboot<\/i> is passed as an argument, it removes the &#8220;safeboot&#8221; value from the current boot entry in the Boot Configuration Data (BCD) and performs an immediate system restart via the following command:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1\">\n<tr readability=\"3\">\n<td width=\"624\" valign=\"top\" readability=\"5\">\n<p><span class=\"blockquote\">\u201c%System%\\bcdedit.exe&#8221; \/deletevalue {current} safeboot<br \/>shutdown.exe \/r \/t 0<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>When encrypting network shares using the <i>-network<\/i> argument, BlackSuit will check if the IP address begins with the following numbers to ensure that it is encrypting local systems:<i><\/i><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">192.168.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">10.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">100.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">&nbsp;172.<\/span><\/li>\n<\/ul>\n<p>It avoids encrypting files with the following strings in their file path:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32\">\n<p><h5>Table 4. Royal and BlackSuit avoid encrypting files that have these strings<\/h5>\n<\/p><\/div>\n<div readability=\"32\">\n<p><h5>Table 5. Royal and BlackSuit avoid encrypting files that contain these extensions<\/h5>\n<\/p><\/div>\n<div readability=\"52.5925\">\n<div readability=\"52.11\">\n<p>BlackSuit ransomware also deletes shadow copies using the following command:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1\">\n<tr readability=\"3\">\n<td width=\"624\" valign=\"top\" readability=\"5\">\n<p>&#8220;%System%\\vssadmin.exe&#8221; Delete Shadows \/All \/Quiet<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.<\/p>\n<p>One possibility for BlackSuit\u2019s creation is that, since the threat actors behind Royal (and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\">Conti before it<\/a>) are one of the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-and-cisa-warn-of-increasing-royal-ransomware-attack-risks\/\">most active ransomware groups in operation today<\/a>, this may have led to increased attention from other cybercriminals, who were then inspired to develop a similar ransomware in BlackSuit. Another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.<b><\/b><\/p>\n<p>Whatever the case may be, the emergence of another ransomware like BlackSuit provides further evidence that threat actors will always try to look for more effective tools for their attacks, from modifying existing code to developing unique ransomware families, to profit from their victims. As such, both organizations and individual users should remain vigilant when it comes to protecting their files and data from ransomware attacks.<\/p>\n<p>Organizations can defend against ransomware attacks by implementing a comprehensive security framework that directs resources towards establishing a strong defense strategy. Here are some recommendations:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Create an inventory of assets and data<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Identify authorized and unauthorized devices and software<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Conduct audits of event and incident logs<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Manage hardware and software configurations<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Grant administrative privileges and access only when necessary<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Monitor network ports, protocols, and services<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Establish a whitelist of approved software applications<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Implement measures for data protection, backup, and recovery<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enable multifactor authentication (MFA)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Deploy up-to-date security solutions across all system layers<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Remain vigilant for early indications of an attack<\/span><\/li>\n<\/ul>\n<p>By adopting a multi-pronged approach to securing potential entry points, such as endpoints, emails, websites, and networks, organizations can detect and defend against malicious elements and suspicious activities, effectively safeguarding themselves from ransomware attacks.<\/p>\n<p>A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.&nbsp;<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Vision One\u2122<\/a>\u202fprovides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage.&nbsp;<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">Trend Micro Apex One\u2122<\/a>\u202foffers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.&nbsp;<br \/>&nbsp;<\/b><\/span><\/li>\n<\/ul>\n<p><b><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/investigating-blacksuit-ransomwares-similarities-to-royal.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":52139,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-52138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Investigating BlackSuit Ransomware\u2019s Similarities to Royal 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Investigating BlackSuit Ransomware\u2019s Similarities to Royal 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-31T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/blacksuit-976.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Investigating BlackSuit Ransomware\u2019s Similarities to Royal\",\"datePublished\":\"2023-05-31T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/\"},\"wordCount\":1286,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/investigating-blacksuit-ransomwares-similarities-to-royal.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/\",\"name\":\"Investigating BlackSuit Ransomware\u2019s Similarities to Royal 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/investigating-blacksuit-ransomwares-similarities-to-royal.png\",\"datePublished\":\"2023-05-31T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/investigating-blacksuit-ransomwares-similarities-to-royal.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/investigating-blacksuit-ransomwares-similarities-to-royal.png\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-blacksuit-ransomwares-similarities-to-royal\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Investigating BlackSuit Ransomware\u2019s Similarities to Royal\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Investigating BlackSuit Ransomware\u2019s Similarities to Royal 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/","og_locale":"en_US","og_type":"article","og_title":"Investigating BlackSuit Ransomware\u2019s Similarities to Royal 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-31T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/blacksuit-976.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Investigating BlackSuit Ransomware\u2019s Similarities to Royal","datePublished":"2023-05-31T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/"},"wordCount":1286,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/investigating-blacksuit-ransomwares-similarities-to-royal.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/","url":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/","name":"Investigating BlackSuit Ransomware\u2019s Similarities to Royal 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/investigating-blacksuit-ransomwares-similarities-to-royal.png","datePublished":"2023-05-31T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/investigating-blacksuit-ransomwares-similarities-to-royal.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/investigating-blacksuit-ransomwares-similarities-to-royal.png","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/investigating-blacksuit-ransomwares-similarities-to-royal\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Investigating BlackSuit Ransomware\u2019s Similarities to Royal"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=52138"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52138\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/52139"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=52138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=52138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=52138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}