{
	"id": "9b61cf0e-eae6-41e5-93e9-9d9996843fc4",
	"created_at": "2026-04-06T00:21:32.59669Z",
	"updated_at": "2026-04-10T13:12:12.523471Z",
	"deleted_at": null,
	"sha1_hash": "c1ba1c8bfec91f72293184ad6831d356567846b4",
	"title": "Investigating BlackSuit Ransomware’s Similarities to Royal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1027794,
	"plain_text": "Investigating BlackSuit Ransomware’s Similarities to Royal\r\nBy Katherine Casona, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Jeffrey Francis Bonaobra ( words)\r\nPublished: 2023-05-31 · Archived: 2026-04-05 23:37:29 UTC\r\nRansomware\r\nIn this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware.\r\nBy: Katherine Casona, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Jeffrey Francis Bonaobra May 31, 2023 Read time: 7\r\nmin (1965 words)\r\nSave to Folio\r\nRoyal ransomware, which is already one of the most notable ransomware families of 2022, has gained additional notoriety\r\nin early May 2023 after it was used to attack IT systems in Dallas, Texas. Around the same period, several researchers on\r\nTwitter came across a new ransomware family called BlackSuit that targeted both Windows and Linux users. Additional\r\nTwitter posts mentioned connections between BlackSuit and Royal, which piqued our interest. We managed to retrieve and\r\nanalyze a Windows 32-bit sample of the ransomware from Twitter.\r\nIn this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware.\r\nEncryption and leak site details\r\nBefore delving into the main comparison between the two ransomware families, let’s first examine the encryption and leak\r\nsite details of BlackSuit.\r\nBlackSuit appends the blacksuit file extension to the files it encrypts, drops its ransom note into the directory, and lists its\r\nTOR chat site in the ransom note along with a unique ID for each of its victims.\r\nIts operators also set up a data leak site as part of their two-pronged extortion strategy to coerce victims into paying the\r\nransom demand. Note that there is just a single victim currently listed on the leak site as of the time of writing.\r\nComparison between Royal ESXi and BlackSuit ESXi variants\r\nOne of the BlackSuit ransomware samples we analyzed is an x64 ESXi version targeting Linux machines. An earlier post\r\non Twitter revealed that YARA rules designed for BlackSuit’s Linux variant matched samples of the Royal ransomware\r\nLinux variant.\r\nAfter comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an\r\nextremely high degree of similarity to each other. In fact, they’re nearly identical, with 98% similarities in functions, 99.5%\r\nsimilarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 1 of 9\n\nopen on a new tab\r\nFigure 3. Comparison of the Linux variants of BlackSuit and Royal ransomware\r\nFurther analysis found that BlackSuit employs command-line arguments that have a similar function to those used by\r\nRoyal. However, there are some differences: The strings used in the arguments are different, with BlackSuit also including\r\nadditional arguments not found in Royal.\r\nRoyal\r\nArgument\r\nBlackSuit\r\nArgument\r\nDescription\r\n-id {32-byte\r\ncharacters}\r\n-name {32-byte\r\ncharacters}\r\nUsed as the victim’s ID, which will be appended to the TOR link found in the\r\ndropped ransom note. The process exits if the argument is not provided, or if the\r\nprovided characters do not have a length of 32 bytes\r\n-ep\r\n-percent {0-\r\n100}\r\nUsed to define the encryption parameter\r\n-path {target\r\npath}\r\n-p {target path} Used to specify a target directory to encrypt\r\n(Not in Royal) -thrcount\r\nUsed to create a specified number of threads depending on infected machine‘s\r\nprocessor count  \r\n(Not in Royal) -skip {text file} Used to specify a text file containing folders to skip \r\n-stopvm -killvm Used to terminate VM-linked processes via the EXSCLi command\r\n-vmonly -allfiles Encrypt all files\r\n(Not in Royal) -noprotect CheckProcStarted\r\n     /bin/sh -c ps \u003e PS_list\r\n     does not drop the file PID\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 2 of 9\n\ndoes not check if the process has already been started\r\n-fork -vmsyslog\r\nUsed to create fork processes and terminate watchdog timers\r\nDoes not terminate processes with the string vmsyslogd in its name\r\n-logs -demonoff Used to display terminal logs\r\nTable 1. A comparison of arguments for the Linux versions of BlackSuit and Royal\r\nMeanwhile, the skip argument is used to indicate a text file that contains a list of folders to be skipped. \r\nDuring file enumeration and encryption, each respective ransomware family avoids files with the following extensions and\r\nfilenames:\r\nRoyal BlackSuit\r\n.royal_u\r\n.royal_w\r\n.sf\r\n.v00\r\n.b00\r\nroyal_log_\r\nreadme\r\n.blacksuit\r\n.BlackSuit\r\n.blacksuit_log_\r\n.list_\r\n.PID_\r\n.PS_list\r\n.PID_list_\r\n.CID_list_\r\n.sf\r\n.v00\r\n.b00\r\n.README.BlackSuit.txt\r\n.README.blacksuit.txt\r\nTable 2. List of extensions and filenames skipped by both BlackSuit and Royal\r\nBlackSuit ransomware targets the following extensions if the –allfiles argument is not provided:\r\n.vmem\r\n.vmdk\r\n.nvram\r\n.vmsd\r\n.vmsn\r\n.vmss\r\n.vmtm\r\n.vmxf\r\n.vmxf\r\n.vmx\r\nIntermittent encryption process\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 3 of 9\n\nThe binaries for both BlackSuit and Royal use OpenSSL’s AES for encryption and employ similar intermittent encryption\r\ntechniques to accelerate the encryption of the victim’s files.\r\nBoth BlackSuit and Royal prepare the files for encryption by rounding up the file size to the nearest multiple of 16, after\r\nwhich 41 bytes are added, possibly to account for the encryption header and other metadata.\r\nNext, a check is performed for the file being encrypted to determine if it has a size that is greater than 0x40000h\r\n(approximately 262KB). If this condition is met, it will use the value set using -percent, which is represented here by the\r\ni_ep variable. If not, it will use the default, which is 100.\r\nopen on a new tab\r\nFigure 7. Calculation of bytes to be used for intermittent encryption\r\nThe number of bytes to be used for intermittent encryption is then calculated using the same formula found in the Linux\r\nversion of Royal ransomware:\r\nN = (X/10)*(Original File Size / 100) then round down to multiples of 16\r\n                                                                                Where X is the value of “-percent”\r\nThe file size is again checked to calculate the amount of space to be allocated for the data and metadata. Finally, the keys to\r\nbe used for encryption are prepared.\r\nIn the case of BlackSuit, as we previously mentioned, it appends the extension “.blacksuit” to encrypted files and drops a\r\nransom note in the directory where the files are located.\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 4 of 9\n\nopen on a new tab\r\nFigure 10. The folder showing the encrypted files with the appended extension and the dropped ransom note\r\nComparison between Royal Win32 and BlackSuit Win32 variants\r\nIn addition to the Linux-based sample, we also analyzed a Windows 32-bit version of BlackSuit, which also exhibits\r\nsignificant similarities with its Royal ransomware counterpart (93.2% similarity in functions, 99.3% in basic blocks, and\r\n98.4% in jumps based on BinDiff).\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 5 of 9\n\nopen on a new tab\r\nFigure 12. Comparison of the Linux variants of BlackSuit and Royal ransomware\r\nOur analysis found that BlackSuit accepts the following command-line arguments:\r\nRoyal\r\nArguments\r\nBlackSuit\r\nArguments\r\nDescription\r\n-path {target\r\npath}\r\n-p {target path} If provided, will only encrypt the contents of the target path\r\n-id {32-byte\r\ncharacters}\r\n-name {32-byte\r\ncharacters}\r\nUsed as the victim’s ID, which will be appended to the TOR link found in\r\nthe dropped ransom note. The process exits if the argument is not\r\nprovided, or if the provided characters do not have a length of 32 bytes\r\n-ep\r\n-percent {0 to\r\n100}\r\nUsed to define encyption parameters\r\n(Not in Royal) -list {text files} Used to specify a text file containing the target directories to encrypt\r\n(Not in Royal) -delete Used to delete itself\r\n-networkonly -network Used to encrypt file shares connected to the system\r\n-localonly -local Used to encrypt the local system only\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 6 of 9\n\n-disablesafeboot -disablesafeboot Used to disable safeboot\r\n-noprotect -noprotect Used to disable mutex creation\r\nTable 3. A comparison of arguments for the Win32 versions of BlackSuit and Royal\r\nWhile BlackSuit introduces different argument strings compared to Royal, their purpose remains similar. BlackSuit\r\ncombines arguments from various Windows versions of Royal Ransomware, while also introducing new arguments such as\r\n\"-delete\" and \"-list\" that are specific to itself.\r\nThe -delete argument uses the following command to continuously check for the existence of its file by looking for the\r\nfilename:\r\ncmd /v/c \"set f={Malware File Name}\u0026for /l %l in () do if exist !f! (del /f/a \"!f!\") else (exit)\"\r\nIf the file is found, it is immediately deleted. The command keeps running indefinitely until the file is deleted, at which\r\npoint the loop will exit.\r\nThe -list argument is used to specify a text file containing target directories to encrypt. It loads the file using ReadFileFAPI\r\nthen places the contents of the text file in a buffer. Note that the loaded text file is a sample text file we used for testing and\r\nnot the format of the text file that will be loaded in an actual attack.\r\nopen on a new tab\r\nFigure 13. Loading the text file. Note that we loaded the sample text file to show that it loads the file when\r\nusing the -list argument.\r\nif –disablesafeboot is passed as an argument, it removes the \"safeboot\" value from the current boot entry in the Boot\r\nConfiguration Data (BCD) and performs an immediate system restart via the following command:\r\n“%System%\\bcdedit.exe\" /deletevalue {current} safeboot\r\nshutdown.exe /r /t 0\r\nWhen encrypting network shares using the -network argument, BlackSuit will check if the IP address begins with the\r\nfollowing numbers to ensure that it is encrypting local systems:\r\n192.168.\r\n10.\r\n100.\r\n 172.\r\nIt avoids encrypting files with the following strings in their file path:\r\nRoyal BlackSuit\r\n$recycle.bin\r\n$windows.~bt\r\nWindows\r\nADMIN$\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 7 of 9\n\n$windows.~ws\r\nboot\r\ngoogle\r\nmozilla\r\nperflogs\r\ntor browser\r\nwindows\r\nwindows.old\r\nroyal\r\nIPC$\r\nTable 4. Royal and BlackSuit avoid encrypting files that have these strings\r\nRoyal BlackSuit\r\n.exe\r\n.dll\r\n.bat\r\n.lnk\r\n.royal_u\r\n.royal_w\r\n.exe\r\n.dll\r\n.BlackSuit\r\n.blacksuit\r\nREADME.BlackSuit.txt\r\nTable 5. Royal and BlackSuit avoid encrypting files that contain these extensions\r\nBlackSuit ransomware also deletes shadow copies using the following command:\r\n\"%System%\\vssadmin.exe\" Delete Shadows /All /Quiet\r\nConclusion and insights\r\nThe emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed\r\nby the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented\r\nmodifications to the original family.\r\nOne possibility for BlackSuit’s creation is that, since the threat actors behind Royal (and Conti before it) are one of the\r\nmost active ransomware groups in operation todaynews article, this may have led to increased attention from other\r\ncybercriminals, who were then inspired to develop a similar ransomware in BlackSuit. Another option is that BlackSuit\r\nemerged from a splinter group within the original Royal ransomware gang.\r\nWhatever the case may be, the emergence of another ransomware like BlackSuit provides further evidence that threat actors\r\nwill always try to look for more effective tools for their attacks, from modifying existing code to developing unique\r\nransomware families, to profit from their victims. As such, both organizations and individual users should remain vigilant\r\nwhen it comes to protecting their files and data from ransomware attacks.\r\nRecommendations and solutions\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 8 of 9\n\nOrganizations can defend against ransomware attacks by implementing a comprehensive security framework that directs\r\nresources towards establishing a strong defense strategy. Here are some recommendations:\r\nCreate an inventory of assets and data\r\nIdentify authorized and unauthorized devices and software\r\nConduct audits of event and incident logs\r\nManage hardware and software configurations\r\nGrant administrative privileges and access only when necessary\r\nMonitor network ports, protocols, and services\r\nEstablish a whitelist of approved software applications\r\nImplement measures for data protection, backup, and recovery\r\nEnable multifactor authentication (MFA)\r\nDeploy up-to-date security solutions across all system layers\r\nRemain vigilant for early indications of an attack\r\nBy adopting a multi-pronged approach to securing potential entry points, such as endpoints, emails, websites, and\r\nnetworks, organizations can detect and defend against malicious elements and suspicious activities, effectively\r\nsafeguarding themselves from ransomware attacks.\r\nA multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises. \r\nTrend Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools before the ransomware can do any damage. \r\nTrend Micro Apex One™products offers next-level automated threat detection and response against\r\nadvanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints. \r\n \r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection name\r\n90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c Ransom.Win32.BLACKSUIT.THEODBC\r\n1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e Ransom.Linux.BLACKSUIT.THEODBC\r\n6ac8e7384767d1cb6792e62e09efc31a07398ca2043652ab11c090e6a585b310 Ransom.Win32.ROYAL.AA\r\n4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99 Ransom.Win32.ROYAL.SMYECJYT\r\nb57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c Ransom.Linux.ROYAL.THBOBBC\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"
	],
	"report_names": [
		"investigating-blacksuit-ransomwares-similarities-to-royal.html"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434892,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1ba1c8bfec91f72293184ad6831d356567846b4.pdf",
		"text": "https://archive.orkl.eu/c1ba1c8bfec91f72293184ad6831d356567846b4.txt",
		"img": "https://archive.orkl.eu/c1ba1c8bfec91f72293184ad6831d356567846b4.jpg"
	}
}