What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a BlackSuit attack can make a huge difference and help you make a full recovery. Request 24/7 BlackSuit ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

BlackSuit ransomware statistics & facts

BlackSuit decryptor
BlackSuit IOCs
BlackSuit vectors
Case outcomes
How to remove BlackSuit ransomware?
How to recover from BlackSuit ransomware?
Ransom amounts
BlackSuit decryptor

Unfortunately, there is no publicly available decryptor for BlackSuit ransomware. The good news — UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.

BlackSuit IOCs

Important note: IOCs often change because BlackSuit constantly updates its tools. This list includes recurring, widely confirmed indicators based on FBI, CISA, Picus Security, The DFIR Report, Cybereason, and IR case data.

File extensions
The most common extension is .blacksuit. Some variants append random alphanumeric strings or use custom extensions based on the victim’s unique identifier.

Ransom note filenames
The primary ransom note is:

readme.BlackSuit.txt

Other observed variations include:

README.TXT (legacy Royal)
BlackSuit_readme.txt
recovery_instructions.txt
decrypt_readme.txt

*The exact filenames may vary by affiliate.

BlackSuit hashes
These are SHA256 hashes used for encrypting payloads in known attacks:

146335b1be627318ac09476f0c8f8e6e027805e6077673f72d6dce1677a24c78
af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61
338228a3e79f3993abc102cbac2ff253c84965213d59ac30892538cdd9b0a22b
a4ef01d55e55cebdd37ba71c28b0c448a9c833c0
b987f738a1e185f71e358b02cafa5fe56a4e3457df3b587d6b40e9c9de1da410

SystemBC backdoor and related tools:

9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300
25a6f82936134a6c5c0066f382530b9d6bf2c8da6feafe028f166b1a9d7283cf

BlackSuit tools
For EDR disabling:

PowerTool64
GMER (rootkit hunter repurposed)

For credential dumping:

Mimikatz
Rubeus (AS-REP roasting, Kerberoasting)
Nirsoft password tools (dialuppass, netpass, mailpv, iepv, routerpassview)

For reconnaissance:

SharpShares
SoftPerfect NetWorx
Advanced IP Scanner
SharpHound / BloodHound
ADFind

For data exfiltration:

RClone (renamed as svchost.exe)
Brute Ratel (BRC4)
Cobalt Strike beacons

For lateral movement:

PsExec
SMB/Windows Admin Shares
RDP
SystemBC (tunneling)

Malware:

Gootloader
SystemBC backdoor
Cobalt Strike

Most common red flag
BlackSuit almost always runs this code:

vssadmin.exe delete shadows /all /quiet

*If you detect this, data encryption is moments away.

BlackSuit vectors

Attack vector

% of BlackSuit incidents

Notes

Phishing + malicious attachments

40–45%

PDF documents, malvertising, fake updates

Exploited vulnerabilities

25–30%

Public-facing applications, VPN bugs

Compromised RDP

13–15%

Brute-force or bought credentials

Initial access brokers

10–12%

Stealer logs, VPN credentials

MSP/Supply chain access

5–8%

RMM compromise, inherited access

Powered By WP Table Builder
Case outcomes

BlackSuit is a direct evolution of Royal ransomware and remains extremely dangerous.

BlackSuit actors have exhibited a willingness to negotiate ransom amounts, but decryptors — when provided — may be slow, unstable, or incomplete, especially on ESXi environments. Some victims experience repeated extortion attempts even after paying. Partial data recovery failures are common when backups were destroyed or tampered with.

BlackSuit is known to publish victim data on their leak site within days if negotiations stall. Recently, victims have also received telephonic or email communications from BlackSuit actors regarding the compromise and ransom demands.

How to remove BlackSuit ransomware?

Note: Attempting to remove BlackSuit ransomware and self-remedy may lead to greater data loss.

To remove BlackSuit ransomware, immediately engage BlackSuit ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).

Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review file-hash indicators of compromise (IOCs), registry changes, deleted Volume Shadow Copies, and any tampering with event logs. After mapping the intrusion, reimage all infected devices using clean, verified system images.

Finally, rely on BlackSuit ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating compromised credentials, and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.

How to recover from BlackSuit ransomware?

To recover from BlackSuit ransomware, follow these essential steps:

• Immediately isolate affected machines to stop any further malicious activity, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware.
• Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment.
• Perform a thorough post-incident review to map the attack chain and identify root causes, then harden or rotate all credentials (especially admin/service accounts) to eliminate any leftover access points.
• Bring in external IR specialists to audit your environment, ensure complete ransomware eradication, and help update your incident-response and business-continuity plans.

Ransom amounts

BlackSuit ransom demands typically range from $1 million to $10 million USD, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin.

BlackSuit has demanded over $500 million USD in total, with the largest individual ransom demand reaching $60 million. Notable payments include CDK Global’s $25 million ransom in June 2024.

Because BlackSuit conducts double-extortion attacks, victims face two simultaneous financial threats:

• The ransom itself
• The cost of leaked, stolen, or destroyed data

Organizations should never attempt ransom negotiation alone — BlackSuit is known to escalate threats quickly, publish data when provoked, or disappear after receiving payment if communication is mishandled.

Average ransom:

• Small business: $150,000 – $500,000
• Medium business: $1,000,000 – $3,000,000
• Large enterprise: $5,000,000+

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is BlackSuit ransomware?

BlackSuit is a highly sophisticated Ransomware-as-a-Service (RaaS) operation that emerged in mid-2023 as the evolution of Royal ransomware. The group conducts double-extortion attacks, stealing sensitive data before encrypting systems using advanced partial encryption techniques. BlackSuit has demanded over $500 million USD in total ransoms, with individual demands ranging from $1 million to $60 million in Bitcoin. The group targets critical infrastructure sectors including healthcare, communications, and manufacturing, publishing victim data on their dark-web leak site when ransoms aren’t paid.

Where is the BlackSuit ransomware gang located?

BlackSuit operates as a decentralized cybercrime syndicate with no confirmed physical location. The group uses sophisticated infrastructure including Tor-based communication portals, anonymized servers, and constantly shifting C2 infrastructure to obscure their origins. While specific attribution remains unconfirmed, the group’s evolution from Royal ransomware and operational patterns suggest ties to experienced ransomware operators with advanced technical capabilities.

How does BlackSuit ransomware work?

BlackSuit typically infiltrates through phishing emails, compromised RDP credentials, or exploited public-facing applications. Once inside, attackers use tools like Mimikatz and Nirsoft to steal credentials, then deploy SharpShares and SoftPerfect NetWorx to map the network. They move laterally via RDP, SMB, and PsExec while exfiltrating data using RClone and Brute Ratel. Before encryption, they disable antivirus through Group Policy modifications, delete shadow copies with vssadmin, and deploy SystemBC or Gootloader for persistence. Finally, they execute the ransomware using batch scripts, encrypting files with a unique partial encryption approach that allows them to choose specific percentages of data to encrypt, evading detection while maintaining speed.

How long do BlackSuit ransomware attacks last?

BlackSuit’s encryption phase is devastatingly fast—small networks can be fully encrypted in under 20 minutes, mid-size environments in 1–2 hours, and large enterprises within several hours. However, the full attack timeline is much longer: threat actors typically maintain undetected access for days or weeks before encryption, spending this dwell time stealing credentials, exfiltrating data, disabling security tools, destroying backups, and positioning themselves for maximum impact across the entire environment.

Where can I find a BlackSuit victims list?

There is no official public list of BlackSuit victims, but confirmed cases are published on BlackSuit’s dark-web leak site when victims refuse to pay. These disclosures are subsequently tracked by cybersecurity researchers, threat intelligence platforms, and media outlets monitoring ransomware activity. Security teams often monitor these leak portals, CTI feeds, and DFIR reports to stay informed about newly disclosed victims and emerging attack patterns.

Can BlackSuit ransomware be deleted?

You can remove the BlackSuit malware binaries and associated tools from infected systems, but removal alone does nothing to decrypt your files or guarantee the attack is fully contained. There is currently no public decryptor available for BlackSuit ransomware. Because threat actors often establish multiple persistence mechanisms using SystemBC, Gootloader, and legitimate RMM tools as backdoors, proper recovery requires professional incident response, comprehensive environment remediation, threat hunting to eliminate all attacker access, and restoration from clean, uncompromised backups.

What happens when you get BlackSuit ransomware?

BlackSuit attackers infiltrate your network days or weeks before encryption, silently stealing credentials, exfiltrating sensitive data, disabling EDR and antivirus through Group Policy modifications, and spreading laterally through domain controllers and critical servers. When the ransomware detonates, files across Windows, Linux, and ESXi systems are rapidly encrypted using partial encryption techniques, shadow copies are wiped via vssadmin, and ransom notes named “readme.BlackSuit.txt” appear throughout your directories. Application, System, and Security event logs are deleted to cover tracks. Soon after, you may receive phone calls or emails from the attackers, and stolen data is threatened or published on their dark-web leak site to pressure payment.

How can ransomware be prevented?

Ransomware is best prevented through defense-in-depth security: prioritize patching known exploited vulnerabilities within 48 hours, enforce phishing-resistant MFA on all accounts especially admin access, deploy EDR with 24/7 SIEM monitoring and threat hunting, segment networks to restrict lateral movement, harden identity management and disable unused RDP, implement time-based JIT access for privileged accounts, train employees to recognize phishing, and protect backups with immutability and offline storage so attackers cannot tamper with recovery options. Disable command-line scripting where possible and maintain comprehensive logging.

What is a ransomware prevention checklist?

Here’s a ransomware prevention checklist to help your organization block, detect, and contain attacks:

Patch critical vulnerabilities within 48 hours
Enforce phishing-resistant MFA for all accounts, especially privileged users
Deploy EDR on all endpoints with real-time detection enabled
Centralize logs into SIEM with 24/7 monitoring
Monitor for lateral movement and abnormal network activity
Disable unused RDP and enforce VPN with MFA
Segment networks to limit adversary movement
Restrict admin privileges using least-privilege and JIT access
Maintain offline, encrypted, immutable backups tested regularly
Disable macros by default and implement email security policies
Conduct phishing simulations and security awareness training
Perform regular incident response tabletop exercises