{
	"id": "66f17081-b324-48ed-abb2-08015bae7769",
	"created_at": "2026-04-06T00:21:47.378331Z",
	"updated_at": "2026-04-10T13:11:46.841835Z",
	"deleted_at": null,
	"sha1_hash": "a81ff1911e3bea5e248bda532f22d4d500d04c6e",
	"title": "BlackSuit Ransomware Strikes Windows And Linux Users - Cyble",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1232341,
	"plain_text": "BlackSuit Ransomware Strikes Windows And Linux Users - Cyble\r\nPublished: 2023-05-12 · Archived: 2026-04-05 13:31:04 UTC\r\nNew Ransomware Targets VMware ESXi servers\r\nWorld's Best AI-Native Threat Intelligence\r\nCyble Research and Intelligence Labs (CRIL) observed an increase in the number of ransomware groups\r\nlaunching Linux variants, such as Cylance and Royal ransomware. This can be attributed to the fact that Linux is\r\nextensively utilized as an operating system across various sectors, including enterprise environments and cloud\r\ncomputing platforms. The widespread use of Linux makes it an appealing target for ransomware groups, as a\r\nsingle attack can potentially compromise numerous systems.\r\nCRIL came across a new ransomware group named BlackSuit posted by Unit 42, Palo Alto Networks. BlackSuit\r\nransomware is being used by Threat Actors (TA) to target both Windows and Linux operating systems users.\r\nThe code of the Linux variant of BlackSuit has been found to share similarities with the Royal ransomware,\r\naccording to observations made by researchers. BlackSuit ransomware communicates with its victims through an\r\nonion site and has not yet publicized any of its victims’ information.\r\nThe image below displays the onion site used by BlackSuit ransomware.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 1 of 16\n\nFigure 1 – BlackSuit Ransomware Site\r\nTechnical Analysis\r\nThe BlackSuit ransomware (SHA256:\r\n90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c) is a 32-bit executable, coded in\r\nC/C++.\r\nThe figure below shows the file details.\r\nFigure 2 – File Details\r\nUpon execution, the BlackSuit ransomware utilizes the GetCommandLineW function to acquire the command-line arguments. Subsequently, it compares these arguments with a predefined list of strings, such as -name, -\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 2 of 16\n\npercentage, -noprotect, -disablesafeboot, -local, -network, -delete, -list, and -p. Whenever a match is identified, it\r\nsets the associated flag variable to one. These strings define the operations conducted by the ransomware\r\nexecutable during runtime and can be provided as command-line parameters.\r\nIn order to execute the ransomware binary, it is mandatory to include the “-name” parameter, which is a distinct\r\n32-character identifier assigned to each victim.\r\nFigure 3 – Command Line Arguments\r\nDuring execution, if the “-noprotect” parameter is utilized, the ransomware can launch multiple instances.\r\nHowever, if this parameter is not used, ransomware employs the CreateMutexW() function to generate a mutex.\r\nThe Mutex name is determined by the value of the “-name” parameter.\r\nThe figure below shows the mutex creation by the ransomware binary.\r\nFigure 4 – CreateMutex\r\nFollowing the creation of the mutex, the ransomware verifies whether a mutex with a similar name exists by\r\nchecking the error value, which is retrieved through the GetLastError() function. If the error value is 183,\r\nindicating that a mutex with the same name already exists, the ransomware will terminate itself.\r\nThe figure below shows the mutex check created by the ransomware.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 3 of 16\n\nFigure 5 – Running Single Instance\r\nSubsequently, the ransomware verifies whether the flag variable for the “-local” parameter has a value of zero,\r\nindicating that the parameter was not passed. If this is the case, the ransomware will create a thread through the\r\nCreateThread() function, which will be employed for enumerating network devices.\r\nThe figure below shows the call to CreateThread() made by ransomware.\r\nFigure 6 – Creating Thread\r\nAfter creating a new thread, the ransomware employs the NetShareEnum() API to obtain information about the\r\navailable network shares on the local system. Once it obtains the list of network shares, the ransomware\r\nestablishes connections to the administrative (ADMIN$) and interprocess communication (IPC$) shares, enabling\r\nits lateral movement to infect other systems connected to the same network.\r\nThe figure below shows the network enumeration part present in the ransomware binary.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 4 of 16\n\nFigure 7 – Enumerating Network Shares\r\nNow the ransomware checks for the “-network” parameter. If this parameter is not passed, it will jump to the\r\nfunction responsible for fetching the drive details. This function starts by calling GetLogicalDriveStringsW to\r\nretrieve a list of logical drives and then iterates over the list. For each drive it encounters, it calls FindFirstFileW()\r\nAPI to search files in the drive. If FindFirstFileW returns a valid handle, it calls the GetDriveTypeW API to\r\ndetermine whether the drive type is removable or fixed.\r\nFigure 8 – Getting Drive Details\r\nAfter this, the ransomware binary attempts to inhibit the system recovery by deleting the shadow copies. The\r\nfigure below shows the vssadmin command executed by ransomware using ShellExecuteW. This command is\r\nexecuted with two options, “/All” and “/Quiet”. The “/All” option deletes all shadow copies, and the “/Quiet”\r\noption suppresses any confirmation prompts that might appear during the deletion process.\r\nFigure 9 – Deleting Shadow Copies\r\nThe ransomware now uses FindFirstFileW() and FindNextFileW() API functions to enumerate the files and\r\ndirectories and initiates the encryption process.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 5 of 16\n\nThe figure below shows the FindFirstFileW() and FindNextFileW used by the ransomware.\r\nFigure 10 – Enumerating Directories\r\nThe ransomware drops the ransom note named “README.BlackSuit.txt” in every directory it traverses. After\r\nencrypting the files, it renames them by appending the “.BlackSuit” extension.\r\nThe figure below shows the ransom note and encrypted files.\r\nFigure 11 – Dropping Ransom Note\r\nAfterward, it checks for the presence of the parameter “-disablesafeboot”. If this variable is passed, the program\r\ndisables safe boot mode by invoking the “bcdedit.exe” utility with the argument /deletevalue {current} safeboot.\r\nThe code also checks if the current process is running on a 64-bit Operating System and invokes the 64-bit version\r\nof “bcdedit.exe” (located in the “Sysnative” folder) if necessary. Finally, it initiates a system shutdown with the\r\n“shutdown.exe” utility and the arguments “/r /t 0”, which will restart the system immediately.\r\nThe figure below shows the part of the code for disabling safe boot.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 6 of 16\n\nFigure 12 – Disable Safeboot\r\nFinally, the ransomware verifies whether the “delete” parameter is provided during execution. If this parameter is\r\npassed, it causes the ransomware to delete itself after completing the encryption process. This method enables the\r\nmalware to eliminate traces, making it more challenging for investigators to examine its code and behavior.\r\nTo accomplish this task, the ransomware utilizes the following batch script, which creates an infinite loop. This\r\nloop checks for the existence of the specified file “f” and deletes it if it exists. The command will continue running\r\nuntil the file is deleted or until the script is terminated:\r\nstart cmd /v/c \\”set f= “\u0026for /l %l in () do if exist !f! (del /f/a \\”!f!\\”) else (exit)\\\r\nFigure 13 – Ransomware Deleting Itself\r\nLinux Variant of BlackSuit Ransomware\r\nThe Linux variant of the BlackSuit ransomware is a 64-bit ELF executable compiled with GCC with sha256 as\r\n1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e.\r\nThe figure below shows additional details of the Linux-based executable.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 7 of 16\n\nFigure 14 – File Details of BlackSuit Ransomware Linux Variant\r\nThe BlackSuit ransomware offers several command line parameters that serve different purposes and enable\r\nspecific operations. These parameters provide additional functionality and control to the ransomware. The\r\nfollowing are the command line parameters utilized by the BlackSuit ransomware.\r\n-name\r\n-percent\r\n-p\r\n-thrcount\r\n-skip\r\n-killvm\r\n-allfies\r\n-noprotect\r\n-vmsyslog\r\n-demonoff\r\nThe figure below shows the command line arguments that could be used by the ransomware.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 8 of 16\n\nFigure 15 – BlackSuit Code to Parse the Arguments\r\nWhen the parameter “-vmsyslog” is passed, the ransomware is designed to terminate the “vmsyslog” service in the\r\ntargeted machine. This particular service is responsible for generating logs in the system where VMware virtual\r\nmachines are running, which aids in detecting anomalies in the functioning of the virtual machines. Disrupting the\r\nvmsyslog service through this parameter can potentially limit the monitoring capabilities and impede the ability to\r\ndetect any irregularities in the operation of the virtual machines.\r\nThe figure below shows the code used by the ransomware to kill vmsyslog.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 9 of 16\n\nFigure 16 – BlackSuit Code to Kill vmsyslog\r\nThe -killvm parameter, when used with the ransomware, scans for active VMware virtual machines (VMs) and\r\nterminates their processes. This step ensures that the files associated with the VMs become accessible for\r\nencryption.\r\nThe code snippet below illustrates how the ransomware lists virtual machines.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 10 of 16\n\nFigure 17 – BlackSuit Code to Kill Virtual Machines\r\nAfter killing the processes, the ransomware proceeds to prepare the files that will be encrypted. However, it also\r\nimplements a mechanism to exclude specific files from the encryption process. These exclusions typically\r\nencompass vital system files, files that have already been encrypted, and the ransom notes that the ransomware\r\nitself drops after infecting a system. By excluding these files, the ransomware ensures they remain intact and\r\naccessible to facilitate its operations.\r\nFigure 18 – BlackSuit Files Excluded from Encryption\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 11 of 16\n\nIn addition to excluding certain files from encryption, the ransomware also offers the option of using the “-\r\nvmonly” parameter. When this parameter is used, the malware restricts its encryption activities solely to files\r\nassociated with VMware virtual machines.\r\nThe figure below illustrates the virtual machine-related files that would be targeted by the ransomware when the\r\n“-vmonly” parameter is used.\r\nFigure 19 – BlackSuit Ransomware Targeting  Virtual Machine-Related Files\r\nFollowing the preparation of files, the ransomware proceeds to generate keys required for the encryption process.\r\nThe code snippet below demonstrates the implementation responsible for staging the encryption keys, as depicted\r\nin the figure.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 12 of 16\n\nFigure 20 – BlackSuit Code for Preparing Keys for Encryption\r\nOnce the keys have been prepared, the ransomware initiates the encryption process by applying the AES algorithm\r\nto encrypt files.\r\nThe code snippet depicted in the figure below demonstrates the implementation responsible for encrypting the\r\nfiles.\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 13 of 16\n\nFigure 21 – BlackSuit Code for File Encryption\r\nThe ransomware also leaves behind a ransom note within the compromised system during the file encryption\r\nprocess. This note serves as a communication from the threat actor, providing instructions on making the ransom\r\npayment and a Tor link to establish a connection with the attacker.\r\nThe figure below illustrates the presence of the ransom note, which is embedded into the executable of the\r\nransomware.\r\nFigure 22 – Ransom Note Embedded in the BlackSuit Ransomware\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 14 of 16\n\nConclusion\r\nRansomware attacks are getting more prevalent, with a recent surge in the number of emerging new groups.\r\nBlackSuit is among the latest ransomware strains to the surface, and while there are similarities in its code with\r\nRoyal ransomware, their connection is not yet confirmed.\r\nBlackSuit has not yet publicly revealed any information about its victims, but it is possible that they may do so in\r\nthe future. The group has already increased its attack surface by targeting different operating systems.\r\nOur Recommendations   \r\nWith Threat Actors and their TTPs increasing in sophistication and rapid adoption of new Ransomware techniques\r\nalongside the increasing use of Artificial Intelligence, the industry continues its search for the proverbial silver\r\nbullet to counter this cyber threat.\r\nHowever, there are a few cybersecurity measures that we strongly recommend to organizations to reduce the\r\nlikelihood of a successful attack: \r\nDefine and implement a backup process and secure those backup copies by keeping them offline or\r\non a separate network \r\nMonitor darkweb activities for early indicators and threat mitigation \r\nEnforce password change policies for the network and critical business applications or consider\r\nimplementing multi-factor authentication for all remote network access points \r\nReduce the attack surface by ensuring that sensitive ports are not exposed to the Internet \r\nConduct cybersecurity awareness programs for employees, third parties, and vendors \r\nImplement a risk-based vulnerability management process for IT infrastructure to ensure that\r\ncritical vulnerabilities and security misconfigurations are identified and prioritized for remediation \r\nInstruct users to refrain from opening untrusted links and email attachments without verifying their\r\nauthenticity \r\nDeploy reputed anti-virus and internet security software packages on your company-managed\r\ndevices, including PCs, laptops, and mobile devices \r\nTurn on the automatic software update features on computers, mobiles, and other connected devices\r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 15 of 16\n\nExecution \r\nT1204 \r\nT1059\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nDiscovery   \r\nT1057\r\nT1082\r\nT1083\r\nProcess Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nImpact  \r\nT1486 \r\nT1490 \r\nData Encrypted for Impact \r\nInhibit System Recovery\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n748de52961d2f182d47e88d736f6c835\r\n30cc7724be4a09d5bcd9254197af05e9fab76455\r\n90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c\r\nMD5\r\nSHA1\r\nSHA256\r\nBlackSuit\r\nWindows\r\nExecutable\r\n9656cd12e3a85b869ad90a0528ca026e\r\n861793c4e0d4a92844994b640cc6bc3e20944a73\r\n1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e\r\nMD5\r\nSHA1\r\nSHA256\r\nBlackSuit\r\nLinux\r\nExecutable\r\nSource: https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/"
	],
	"report_names": [
		"blacksuit-ransomware-strikes-windows-and-linux-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775434907,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a81ff1911e3bea5e248bda532f22d4d500d04c6e.pdf",
		"text": "https://archive.orkl.eu/a81ff1911e3bea5e248bda532f22d4d500d04c6e.txt",
		"img": "https://archive.orkl.eu/a81ff1911e3bea5e248bda532f22d4d500d04c6e.jpg"
	}
}