Did Black Suit Ransomware just try to troll me?
by Dominic Alvieri
July 3rd, 2024
The story goes a little something like this...
/Conti_Royal_BlackSuit/
|_BlackSpade/
That random mixed letter and numbered social media account chimes in. To make a long story short several people both known and unknown to me recently mentioned the same thing, "...a guy from Black Suit started his own group and is responsible for a major incident. The group is called Black Spade."
Who is Black Spade?
The Royal (Ransomware) Flush
Black Spade would be the continuation of the group formed by a Conti member who created Royal Ransomware then rebranded to Black Suit then either is planning on spinning off or rebranding to this new alleged Black Spade group.
Black Suit was attributed to the recent damaging CDK cyber incident. A CDK spokesperson originally said "it will take months to fully restore our network" and now they will be up and running by July 4th. Now that the incident appears over I think it is important to bring this to light. Bad actors with or without ransomware in general will lie, cheat and steal to get the money they feel entitled to. They will even try to bribe or fool a researcher, reporter or analyst into making false statements during a ransom negotiation to influence the outcome. Millions of dollars are at stake.
Is there a Black Spade? The Major Plot Twist
I really had the feeling I was being trolled. A pro level troll. Royal payback if you will. Contacted during a major incident with a major plot twist in the middle of alleged negotiations. I have never heard of such a thing. It is also rare for a group to willingly give their new spinoff and or rebrand name out beforehand. It defeats the purpose.
So is there a Black Spade? Not yet. The new Black Spade claims came somewhere a day or two before CDK's sudden positive change towards the cybersecurity incident. Once again CDK was never posted by Black Suit and they should be fully operational by Independence Day, July 4th which is tomorrow.
Once again two individuals mentioned the same name on the same day with bold new claims. The new group called "Black Spade" was a former/current Black Suit with a major victim. I asked for something concrete, an IoC, a new strain or anything that could back the claim. You just have to produce a ransom note, a data sample, post it or some evidence with a claim like that.
I had a feeling I was communicating with Royal who is still probably a little sore at me from the old Twitter days when Royal was online known as @LockerRoyal before being suspended.
I need some proof of compromise, a ransom note or something
For those of you that do not follow threat actors as closely as I do here is a little back drop. Black Suit recently posted a record (for them) in posting 9 new victims in a day and another leaked school district that was originally posted before as their 10th post for the day. Black Suit hasn't ever posted 10 victims in a week or that frequently on a monthly basis. It did look like Black Suit was cleaning house and possibly preparing to rebrand and or exit.
Skeptical I mentioned to both security researcher and I presume now to be the threat actor that I would put a feeler post out in a few hours mentioning the new threat group but I needed something solid to go forward with anything more. It's not a new ransomware group without a new strain so it isn't Black Spade Ransomware and it sounded somewhat feasible and a possible threat.
My post above
Careful not to create a major stir I toned down the threat eliminating the possibility that this new group was a LockBit or AlphV BlackCat rebrand just in case it was used for leverage with potential victims during a ransom negotiation. The timestamp is underlined.
Their post roughly an hour later...
Roughly an hour after my post Black Suit posted Kadokawa. Kadokawa was the 11th post and 10th new victim for Black Suit within 2 days which is a first. The Black Suit post rate is well below that number.
The Ransomware News bot from VX Underground post with timestamp underlined.
The Black Suit Kadokawa post
The Ace of Spades
...we prefer not to show all the aces we have prepared within the sleeve."
No points for the poor Russian to English translation above but I did catch the reference. It may have been nothing, probably just another cybersecurity coincidence.
"...we are only interested in money.' - Black Suit Ransomware
The Ugly Side of Cyber - Negotiations
CDK has never been posted by Black Suit or any other group to date. The original ransom request was believed to be $10 million with online rumors ballooning it to as high as $80 million. The truth is probably somewhere in between and closer to the lower figure. Ransomware groups and threat actors routinely ask for way more than they are willing to settle for. They over inflate their claims and use whatever other means are needed.
Just like that one of the two deleted their account and the next day fortunes turned for the encrypted.
CDK should be back fully operational by the time you read this. Once again CDK was never posted by Black Suit but confirmed the cyber incident and actor as being Black Suit. Kadokawa was leaked by Black Suit.
Is Black Spade for real? Is Black Spade coming? I'm not sure but if that name does come up make sure to do your due diligence.
Stay safe online and off.
Dominic Alvieri
@AlvieriD
No comments:
Post a Comment