BlackSuit Ransomware Is Credible Threat to Healthcare Cybersecurity, HC3 Says

November 16, 2023 - HC3 issued an analyst note regarding BlackSuit ransomware, a relatively new group that appears to be similar to the Royal ransomware family and its notorious predecessor, Conti ransomware. HC3 warned that the group “will likely be a credible threat” to the healthcare sector.

“Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today,” the analyst note stated.

“Both Royal and the now defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly.”

As previously reported, Conti ransomware claimed responsibility for at least 16 cyberattacks against US healthcare entities by late 2021, and showed no signs of slowing. The group attracted significant attention from US authorities, who formally charged threat actors in connection with Conti attacks.

In 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant, the Department of Justice (DOJ) noted in a September 2023 press release when it unsealed the indictments. Conti has since disbanded, but Conti threat actors have reemerged within smaller groups.

If BlackSuit is truly a successor of Conti, it will not stop targeting the healthcare sector, HC3 warned.

“BlackSuit operates as a private ransomware operation without any known affiliates, and is therefore not considered to be a Ransomware-as-a-Group (RaaS). Its operators are likely experienced, due to the potential ties to Royal (and by default, Conti),” the analyst note continued. “Both Royal and the former Conti groups were known to have well-known organizational systems, business models, and skilled operators.”

BlackSuit largely targets Linux and Windows systems and often claims that it has encrypted and stored victim files on a secure server. There is currently no known public decryptor for BlackSuit available.

Since BlackSuit is relatively new, there is not enough information to determine the group’s preferred targets, HC3 noted. However, its targets thus far have included organizations in the manufacturing, healthcare, business technology, and government sectors.

BlackSuit is suspected to be behind a ransomware attack against a US healthcare organization that provides medical scans and radiology services for nearly 1,000 health systems. The attack allegedly forced health systems to turn away patients and shut down company systems.

“Given both Royal and Conti’s longstanding record of targeting this particular sector, if BlackSuit’s ties to either of the two groups is confirmed, then the healthcare industry should anticipate more attacks to come,” HC3 noted.

HC3 recommended that healthcare organizations remain vigilant and apply necessary safeguards to protect patient data and operations.