Threat Actor Profile
High
Cybercriminal
Description
According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (17)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'According to Trend Micro, this ransomware has significant '
'code overlap with Royal Ransomware.',
'firstseen': '2023-06-12T15:06:42.651259+00:00',
'group': 'blacksuit',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-05-29T12:16:24.875962+00:00',
'locations': [{'available': True,
'fqdn': 'weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion',
'slug': 'http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion',
'title': 'This Site Has Been Seized',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion',
'slug': 'http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion',
'title': 'This Site Has Been Seized',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'blacksuit',
'tools': {'CredentialTheft': ['AccountRestore',
'Mimikatz',
'NirSoft Dialupass',
'NirSoft IEPassView (iepv)',
'NirSoft MailPassView',
'NirSoft Netpass',
'NirSoft RouterPassView'],
'DefenseEvasion': ['Eraser',
'GMER',
'Inno Setup',
'PowerTool',
'VirtualBox'],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'SharpHound',
'SharpShares',
'SoftPerfect NetScan'],
'Exfiltration': ['Bublup',
'RClone',
'Temp[.]sh',
'7-Zip'],
'LOLBAS': ['attrib',
'NTDS Utility (ntdsutil)',
'PsExec',
'WMIC',
'PowerShell'],
'Networking': ['Chisel',
'Cloudflared',
'OpenSSH'],
'Offsec': ['Brute Ratel C4',
'Cobalt Strike',
'Rubeus'],
'RMM-Tools': ['AnyDesk',
'Atera',
'LogMeIn',
'MobaXterm']},
'url': 'https://www.ransomware.live/group/blacksuit',
'victims': 184,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['AccountRestore',
'Mimikatz',
'NirSoft Dialupass',
'NirSoft IEPassView (iepv)',
'NirSoft MailPassView',
'NirSoft Netpass',
'NirSoft RouterPassView'],
'DefenseEvasion': ['Eraser',
'GMER',
'Inno Setup',
'PowerTool',
'VirtualBox'],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'SharpHound',
'SharpShares',
'SoftPerfect NetScan'],
'Exfiltration': ['Bublup', 'RClone', 'Temp[.]sh', '7-Zip'],
'LOLBAS': ['attrib',
'NTDS Utility (ntdsutil)',
'PsExec',
'WMIC',
'PowerShell'],
'Networking': ['Chisel', 'Cloudflared', 'OpenSSH'],
'Offsec': ['Brute Ratel C4', 'Cobalt Strike', 'Rubeus'],
'RMM-Tools': ['AnyDesk', 'Atera', 'LogMeIn', 'MobaXterm']},
'ttps': [{'tactic_id': 'TA0042',
'tactic_name': 'Resource Development',
'techniques': [{'technique_details': 'BlackSuit actors may leverage '
'brokers to gain initial '
'access.',
'technique_id': 'T1650',
'technique_name': 'Acquire Access'}]},
{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'BlackSuit actors use RDP '
'compromise as a secondary '
'initial access vector.',
'technique_id': 'T1021.001',
'technique_name': 'Remote Services: Remote Desktop '
'Protocol'},
{'technique_details': 'BlackSuit actors gain initial '
'access through a variety of '
'RMM software.',
'technique_id': 'T1133',
'technique_name': 'External Remote Services'},
{'technique_details': 'BlackSuit actors gain initial '
'access through public-facing '
'applications.',
'technique_id': 'T1190',
'technique_name': 'Exploit Public-Facing '
'Application'},
{'technique_details': 'BlackSuit criminals often '
'obtain initial access to '
'victim networks through '
'phishing.',
'technique_id': 'T1566',
'technique_name': 'Phishing'},
{'technique_details': 'BlackSuit agents have used '
'malicious PDF document '
'attachments in phishing '
'campaigns.',
'technique_id': 'T1566.001',
'technique_name': 'Phishing: Spear phishing '
'Attachment'},
{'technique_details': 'Actors gain initial access '
'through malvertising links '
'via emails and public '
'websites.',
'technique_id': 'T1566.002',
'technique_name': 'Phishing: Spear phishing Link'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'BlackSuit actors used a '
'legitimate administrator '
'account to gain access '
'privileges to the domain '
'controller.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'},
{'technique_details': 'BlackSuit actors used '
'encrypted files to create new '
'administrator user accounts.',
'technique_id': 'T1078.002',
'technique_name': 'Valid Accounts: Domain '
'Accounts'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'BlackSuit actors used valid '
'accounts to move laterally '
'through the domain controller '
'using RDP.',
'technique_id': 'T1021.001',
'technique_name': 'Remote Services: Remote Desktop '
'Protocol'},
{'technique_details': 'BlackSuit actors deleted '
'shadow files and system and '
'security logs after '
'exfiltration.',
'technique_id': 'T1070.001',
'technique_name': 'Indicator Removal: Clear Windows '
'Event Logs'},
{'technique_details': 'BlackSuit actors used '
'registry keys to extract and '
'collect files automatically.',
'technique_id': 'T1119',
'technique_name': 'Automated Collection'},
{'technique_details': 'BlackSuit actors modified '
'Group Policy Objects to '
'bypass antivirus protocols.',
'technique_id': 'T1484.001',
'technique_name': 'Domain Policy Modification: '
'Group Policy Modification'},
{'technique_details': 'BlackSuit actors disabled '
'antivirus protocols.',
'technique_id': 'T1562.001',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'BlackSuit actors used C2 '
'infrastructure to download '
'various tools.',
'technique_id': 'T1105',
'technique_name': 'Ingress Tool Transfer'},
{'technique_details': 'BlackSuit actors used an '
'encrypted SSH tunnel to '
'communicate within the C2 '
'infrastructure.',
'technique_id': 'T1572',
'technique_name': 'Protocol Tunneling'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'BlackSuit actors encrypted '
'data to identify which files '
'were being used or locked by '
'other applications.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'BlackSuit actors encrypted '
'data to identify which files '
'were being used or locked by '
'other applications.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'}]}],
'url': 'https://www.ransomware.live/group/blacksuit',
'victims': 184,
'vulnerabilities': []}