[ MALWARE MUTEX INTELLIGENCE DATABASE ]
 ███████╗██╗   ██╗██╗██╗         ███╗   ███╗██╗   ██╗████████╗███████╗██╗  ██╗
 ██╔════╝██║   ██║██║██║         ████╗ ████║██║   ██║╚══██╔══╝██╔════╝╚██╗██╔╝
█████╗  ██║   ██║██║██║         ██╔████╔██║██║   ██║   ██║   █████╗   ╚███╔╝
██╔══╝  ╚██╗ ██╔╝██║██║         ██║╚██╔╝██║██║   ██║   ██║   ██╔══╝   ██╔██╗
 ███████╗ ╚████╔╝ ██║███████╗    ██║ ╚═╝ ██║╚██████╔╝   ██║   ███████╗██╔╝ ██╗
 ╚══════╝  ╚═══╝  ╚═╝╚══════╝    ╚═╝     ╚═╝ ╚═════╝    ╚═╝   ╚══════╝╚═╝  ╚═╝

Advanced Malware Analysis & Threat Intelligence

06:17:09
[ALL_FAMILIES]

BlackSuit

ransomware1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:
BlackSuit
CATEGORY:
RANSOMWARE
DESCRIPTION:
BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebrand of Royal ransomware. Operated by the Ignoble Scorpius group, it targets organizations globally with a focus on construction, manufacturing, and education sectors. The group operates a dark web leak site for extortion and typically demands ransoms equal to about 1.6% of the victim organization's annual revenue. BlackSuit uses various initial access methods including phishing, SEO poisoning, legitimate VPN credentials, and supply chain attacks.
ALIASES:
BlackSuit Ransomware
TAGS:
raasfile_encryptionextortionleak_siteroyal_rebrandconstructionmanufacturingeducationdouble_extortion

[MUTEX_SIGNATURES](1)

[MUTEX_01]
Global\WLm87eV1oNRx6P3E4Cy9
ANALYST: @adhikara13 DATE: 2025-01-15
REFERENCES:
https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.blacksuit.ypdjb

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:
Ignoble Scorpius
FIRST_OBSERVED:
2023

[SIGMA_RULE]

[STATISTICS]
MUTEX_COUNT:1
THREAT_ACTORS:1
ALIASES:1
TAGS:9
CATEGORY:RANSOMWARE
 Malware profile loaded successfully 
 EvilMutex Project v1.0.0 
 Open Source Threat Intelligence Database 
[GITHUB][DOCS]