New Ransomware "Black Suit" Targets Windows and Linux Platforms

Description

FortiGuard Labs is aware of a report that a new ransomware "Black Suit" targeting both Windows and Linux platforms was discovered in the wild. Some reports suggest similarities with the infamous active Royal ransomware. Black Suit ransomware encrypts files on affected machines and adds a ".BlackSuit" file extension to the encrypted files. It also operates its own leak site on TOR designed to post information stolen from victims.

Why is this Significant?

This is significant because "Black Suit" is a new ransomware that targets both Windows and Linux platforms. The threat actor operates a data leak site on TOR, which typically means that the ransomware targets enterprises.

What is "Black Suit" ransomware?

"Black Suit" is a new ransomware that is used to target Windows and Linux platforms. Information on the infection vector used by the Black Suite ransomware threat actor is not currently available. However, it is not likely to differ significantly from other ransomware groups. The ransomware encrypts files on compromised machines and adds a ".BlackSuit" file extension to affected files. It then leaves a ransom note labeled "README.BlackSuit.txt" and requests victims to contact the attacker on TOR for ransom negotiation. At the time of this writing, the leak site does not list any victims.

What is the Status of Protection?

FortiGuard Labs has the following AV signatures for the known samples of BlackSuit ransomware:

• Linux/Filecoder_Royal_AGen.A!tr
• W32/PossibleThreat

Appendix

New Ransomware Targets VMware ESXi servers (Cyble)