Royal Ransomware Rebrands as BlackSuit, Demands Over $500 Million in Ransoms
The hackers behind the infamous ransomware attack on Dallas last year have rebranded as a new group named BlackSuit, demanding over $500 million in ransoms. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) updated their advisory, confirming that the group, formerly known as Royal, now operates under the BlackSuit name.
The new advisory provides extensive technical details to help defenders identify the group's activities, which included ransom demands reaching up to $60 million. The transition to BlackSuit branding was noted as early as November, and recent attacks continue under this new name.
“Ransom demands have typically ranged from approximately $1 million to $10 million, with payment demanded in Bitcoin,” the agencies stated. “BlackSuit actors have exhibited a willingness to negotiate payment amounts.” The advisory highlights numerous coding similarities linking the Royal and BlackSuit groups, while also noting BlackSuit's enhanced capabilities.
The hackers predominantly use phishing emails for initial access, followed by disabling antivirus software, exfiltrating large amounts of data, and deploying ransomware. A rise in direct communication from BlackSuit actors to victims has been observed, a tactic aimed at pressuring ransom payments.
New technical data on BlackSuit, derived from FBI threat response incidents as of July 2024, reveals the hackers' use of legitimate tools and accounts to navigate victim systems. They deactivate antivirus software and maintain access using remote monitoring and management software. The advisory also lists IP addresses for organizations to investigate.
BlackSuit has claimed responsibility for several recent attacks on U.S. schools, colleges, prominent companies, and local governments. CISA Director Jen Easterly emphasised the urgency of cybersecurity, stating, “Because of ransomware attacks, people are waking up to the idea of ‘what do I need to do to protect my family and my community?’”
Easterly Warns of Destructive Cyberattacks from China Causing Widespread Outages
LAS VEGAS — Recent global technology outages caused by a CrowdStrike update should serve as a “dress rehearsal” for potential destructive cyberattacks from China-linked hackers, warns Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA). Speaking at the BlackHat cybersecurity conference, Easterly highlighted that escalating tensions between China and Taiwan have led Beijing to explore ways to launch destructive attacks against Taiwan and its allies, including the U.S.
“We are building resilience into our networks and our systems so that we can withstand a significant disruption or at least drive down the recovery time to be able to provide services,”
Easterly said, describing the CrowdStrike incident as a useful exercise in preparation for possible Chinese cyberattacks.
U.S. officials continue to hunt for and eliminate compromises caused by Volt Typhoon, a Chinese state-sponsored group aiming to prepare for such attacks. While China has denied involvement, CISA and the FBI have repeatedly warned that Volt Typhoon hackers are “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” Evidence of Volt Typhoon hackers has been found in U.S. critical infrastructure in Guam and near other military bases, aiming to slow potential mobilisation of forces.
Easterly stressed the importance of building resilience now to prepare for massive disruptions. The CrowdStrike incident affected thousands of hospitals, airports, and businesses worldwide, requiring extensive IT work to resolve. CISA worked alongside other government agencies and Microsoft to provide mitigation guidance and assess the impact on critical infrastructure. Easterly emphasised the need for coordination, stating, “This is exactly what China wants to do,” and urged the public to be prepared for incidents causing significant technology outages.
KTT Fined $120,000 for Data Breach: Failure to Delete Personal Data Before Sale Exposes Thousands
SINGAPORE - Keppel Telecommunications & Transportation (KTT) has been fined $120,000 after failing to delete personal data from a server of a business it sold in 2022, which was subsequently hacked. The Personal Data Protection Commission (PDPC) revealed in a decision published online on August 2 that personal data belonging to about 22,659 people was at risk of unauthorised access and leakage.
The affected individuals included current and former employees of KTT and its subsidiaries, KTT’s shareholders when it was listed on the Singapore Exchange, and those with business dealings with the company. Evidence of the data leak surfaced when a ransomware group published nine encrypted files on the Dark Web, claiming they contained personal data of up to 7,184 individuals. "Such failures in data protection are unacceptable and must be addressed with utmost urgency," a PDPC spokesperson commented.
Despite KTT's inability to confirm if all personal data was compromised, the leak included signatures, images of identification cards, and bank account numbers.
Investigations revealed that an unknown entity infiltrated the server on September 5, 2022, through a compromised account of a vendor for Geodis Logistics Singapore (GLS), divested from KTT two months prior. The PDPC found KTT failed to delete the personal data after migrating it to cloud storage in 2020 and before selling the business in 2022. Although KTT took prompt actions to mitigate the incident's impact and cooperated fully with investigations, the PDPC cited systemic shortcomings in KTT’s data protection processes, leading to the fine.
