Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
BlackSuit ransomware recovery team on standby
Do NOT attempt to negotiate or restore files on your own—this can escalate the BlackSuit ransomware attack and risk permanent data loss. Instead, engage UnderDefense’s expert incident response team now to swiftly contain, investigate, and recover your critical operations.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a BlackSuit attack can make a huge difference and help you make a full recovery. Request 24/7 BlackSuit ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Watch out for the key BlackSuit ransomware IOCs: .blacksuit file encryption, readme.BlackSuit.txt ransom notes, disabled antivirus software, mass shadow copy deletion, suspicious admin activity, and tools like RClone, PsExec, Mimikatz, or SystemBC running in your environment.
Uses unique partial encryption approach with multi-threaded execution, encrypting only selected percentages of file data to evade detection and accelerate attacks.
Steals sensitive data before encryption and threatens to publish it on their leak site if ransom isn't paid, typically demanding $1M-$10M in Bitcoin.
Emerged as a sophisticated rebrand of Royal ransomware with improved capabilities, sharing coding similarities while exhibiting enhanced attack techniques since mid-2023.
Targets Windows, Linux, and VMware ESXi environments across entire networks using RDP, SMB, and legitimate admin accounts for lateral movement.
The readme.BlackSuit.txt note directs you to download the TOR browser and open a .onion link to communicate with the attackers about decryption and data deletion.
Unfortunately, there is no publicly available decryptor for BlackSuit ransomware. The good news — UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.
Important note: IOCs often change because BlackSuit constantly updates its tools. This list includes recurring, widely confirmed indicators based on FBI, CISA, Picus Security, The DFIR Report, Cybereason, and IR case data.
File extensions
The most common extension is .blacksuit. Some variants append random alphanumeric strings or use custom extensions based on the victim’s unique identifier.
Ransom note filenames
The primary ransom note is:
readme.BlackSuit.txt
Other observed variations include:
README.TXT (legacy Royal)
BlackSuit_readme.txt
recovery_instructions.txt
decrypt_readme.txt
*The exact filenames may vary by affiliate.
BlackSuit hashes
These are SHA256 hashes used for encrypting payloads in known attacks:
146335b1be627318ac09476f0c8f8e6e027805e6077673f72d6dce1677a24c78
af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61
338228a3e79f3993abc102cbac2ff253c84965213d59ac30892538cdd9b0a22b
a4ef01d55e55cebdd37ba71c28b0c448a9c833c0
b987f738a1e185f71e358b02cafa5fe56a4e3457df3b587d6b40e9c9de1da410
SystemBC backdoor and related tools:
9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300
25a6f82936134a6c5c0066f382530b9d6bf2c8da6feafe028f166b1a9d7283cf
BlackSuit tools
For EDR disabling:
PowerTool64
GMER (rootkit hunter repurposed)
For credential dumping:
Mimikatz
Rubeus (AS-REP roasting, Kerberoasting)
Nirsoft password tools (dialuppass, netpass, mailpv, iepv, routerpassview)
For reconnaissance:
SharpShares
SoftPerfect NetWorx
Advanced IP Scanner
SharpHound / BloodHound
ADFind
For data exfiltration:
RClone (renamed as svchost.exe)
Brute Ratel (BRC4)
Cobalt Strike beacons
For lateral movement:
PsExec
SMB/Windows Admin Shares
RDP
SystemBC (tunneling)
Malware:
Gootloader
SystemBC backdoor
Cobalt Strike
Most common red flag
BlackSuit almost always runs this code:
vssadmin.exe delete shadows /all /quiet
*If you detect this, data encryption is moments away.
Attack vector | % of BlackSuit incidents | Notes |
Phishing + malicious attachments | 40–45% | PDF documents, malvertising, fake updates |
Exploited vulnerabilities | 25–30% | Public-facing applications, VPN bugs |
Compromised RDP | 13–15% | Brute-force or bought credentials |
Initial access brokers | 10–12% | Stealer logs, VPN credentials |
MSP/Supply chain access | 5–8% | RMM compromise, inherited access |
BlackSuit is a direct evolution of Royal ransomware and remains extremely dangerous.
BlackSuit actors have exhibited a willingness to negotiate ransom amounts, but decryptors — when provided — may be slow, unstable, or incomplete, especially on ESXi environments. Some victims experience repeated extortion attempts even after paying. Partial data recovery failures are common when backups were destroyed or tampered with.
BlackSuit is known to publish victim data on their leak site within days if negotiations stall. Recently, victims have also received telephonic or email communications from BlackSuit actors regarding the compromise and ransom demands.
Note: Attempting to remove BlackSuit ransomware and self-remedy may lead to greater data loss.
To remove BlackSuit ransomware, immediately engage BlackSuit ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).
Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review file-hash indicators of compromise (IOCs), registry changes, deleted Volume Shadow Copies, and any tampering with event logs. After mapping the intrusion, reimage all infected devices using clean, verified system images.
Finally, rely on BlackSuit ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating compromised credentials, and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.
To recover from BlackSuit ransomware, follow these essential steps:
• Immediately isolate affected machines to stop any further malicious activity, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware.
• Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment.
• Perform a thorough post-incident review to map the attack chain and identify root causes, then harden or rotate all credentials (especially admin/service accounts) to eliminate any leftover access points.
• Bring in external IR specialists to audit your environment, ensure complete ransomware eradication, and help update your incident-response and business-continuity plans.
BlackSuit ransom demands typically range from $1 million to $10 million USD, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin.
BlackSuit has demanded over $500 million USD in total, with the largest individual ransom demand reaching $60 million. Notable payments include CDK Global’s $25 million ransom in June 2024.
Because BlackSuit conducts double-extortion attacks, victims face two simultaneous financial threats:
• The ransom itself
• The cost of leaked, stolen, or destroyed data
Organizations should never attempt ransom negotiation alone — BlackSuit is known to escalate threats quickly, publish data when provoked, or disappear after receiving payment if communication is mishandled.
Average ransom:
• Small business: $150,000 – $500,000
• Medium business: $1,000,000 – $3,000,000
• Large enterprise: $5,000,000+
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowBlackSuit is a highly sophisticated Ransomware-as-a-Service (RaaS) operation that emerged in mid-2023 as the evolution of Royal ransomware. The group conducts double-extortion attacks, stealing sensitive data before encrypting systems using advanced partial encryption techniques. BlackSuit has demanded over $500 million USD in total ransoms, with individual demands ranging from $1 million to $60 million in Bitcoin. The group targets critical infrastructure sectors including healthcare, communications, and manufacturing, publishing victim data on their dark-web leak site when ransoms aren’t paid.
BlackSuit operates as a decentralized cybercrime syndicate with no confirmed physical location. The group uses sophisticated infrastructure including Tor-based communication portals, anonymized servers, and constantly shifting C2 infrastructure to obscure their origins. While specific attribution remains unconfirmed, the group’s evolution from Royal ransomware and operational patterns suggest ties to experienced ransomware operators with advanced technical capabilities.
BlackSuit typically infiltrates through phishing emails, compromised RDP credentials, or exploited public-facing applications. Once inside, attackers use tools like Mimikatz and Nirsoft to steal credentials, then deploy SharpShares and SoftPerfect NetWorx to map the network. They move laterally via RDP, SMB, and PsExec while exfiltrating data using RClone and Brute Ratel. Before encryption, they disable antivirus through Group Policy modifications, delete shadow copies with vssadmin, and deploy SystemBC or Gootloader for persistence. Finally, they execute the ransomware using batch scripts, encrypting files with a unique partial encryption approach that allows them to choose specific percentages of data to encrypt, evading detection while maintaining speed.
BlackSuit’s encryption phase is devastatingly fast—small networks can be fully encrypted in under 20 minutes, mid-size environments in 1–2 hours, and large enterprises within several hours. However, the full attack timeline is much longer: threat actors typically maintain undetected access for days or weeks before encryption, spending this dwell time stealing credentials, exfiltrating data, disabling security tools, destroying backups, and positioning themselves for maximum impact across the entire environment.
There is no official public list of BlackSuit victims, but confirmed cases are published on BlackSuit’s dark-web leak site when victims refuse to pay. These disclosures are subsequently tracked by cybersecurity researchers, threat intelligence platforms, and media outlets monitoring ransomware activity. Security teams often monitor these leak portals, CTI feeds, and DFIR reports to stay informed about newly disclosed victims and emerging attack patterns.
You can remove the BlackSuit malware binaries and associated tools from infected systems, but removal alone does nothing to decrypt your files or guarantee the attack is fully contained. There is currently no public decryptor available for BlackSuit ransomware. Because threat actors often establish multiple persistence mechanisms using SystemBC, Gootloader, and legitimate RMM tools as backdoors, proper recovery requires professional incident response, comprehensive environment remediation, threat hunting to eliminate all attacker access, and restoration from clean, uncompromised backups.
BlackSuit attackers infiltrate your network days or weeks before encryption, silently stealing credentials, exfiltrating sensitive data, disabling EDR and antivirus through Group Policy modifications, and spreading laterally through domain controllers and critical servers. When the ransomware detonates, files across Windows, Linux, and ESXi systems are rapidly encrypted using partial encryption techniques, shadow copies are wiped via vssadmin, and ransom notes named “readme.BlackSuit.txt” appear throughout your directories. Application, System, and Security event logs are deleted to cover tracks. Soon after, you may receive phone calls or emails from the attackers, and stolen data is threatened or published on their dark-web leak site to pressure payment.
Ransomware is best prevented through defense-in-depth security: prioritize patching known exploited vulnerabilities within 48 hours, enforce phishing-resistant MFA on all accounts especially admin access, deploy EDR with 24/7 SIEM monitoring and threat hunting, segment networks to restrict lateral movement, harden identity management and disable unused RDP, implement time-based JIT access for privileged accounts, train employees to recognize phishing, and protect backups with immutability and offline storage so attackers cannot tamper with recovery options. Disable command-line scripting where possible and maintain comprehensive logging.
Here’s a ransomware prevention checklist to help your organization block, detect, and contain attacks:
Patch critical vulnerabilities within 48 hours
Enforce phishing-resistant MFA for all accounts, especially privileged users
Deploy EDR on all endpoints with real-time detection enabled
Centralize logs into SIEM with 24/7 monitoring
Monitor for lateral movement and abnormal network activity
Disable unused RDP and enforce VPN with MFA
Segment networks to limit adversary movement
Restrict admin privileges using least-privilege and JIT access
Maintain offline, encrypted, immutable backups tested regularly
Disable macros by default and implement email security policies
Conduct phishing simulations and security awareness training
Perform regular incident response tabletop exercises