The Reveal Platform
Intel Name: Blacksuit: a hybrid approach with data exfiltration and encryption
Date of Scan: August 12, 2025
Impact: High
Summary: A recent ransomware attack revealed distinct tactics by the BlackSuit group, believed to be a rebrand of Royal, which evolved from Conti. They used tools like Cobalt Strike, rclone, RDP, psexec, and vssadmin in a multi-stage operation targeting data exfiltration and encryption. BlackSuit uniquely exfiltrates and deletes some data before encryption to speed up the process. An unusual use of the -nomutex flag was also noted, enabling multiple ransomware instances.
