The BlackSuit ransomware gang has demanded over $500 million since 2022

A notorious ransomware group has demanded more than half a billion dollars from victims in less than two years.

That staggering statistic has been made public in an update to a joint advisory issued by the US Cybersecurity and Infrastructure Agency (CISA) and the FBI, warning organisations about the threat posed by the BlackSuit gang.

BlackSuit, confirms the advisory, is an evolution of the Royal ransomware which made headlines attacking victims ranging from US healthcare organisations to telecoms firms.  Royal was itself born out of the remains of the infamous Russian Conti group.

BlackSuit, like many other ransomware threats, exfiltrates data from compromised companies and then threatens to publish stolen files on leak sites if a ransom is not paid.

That doesn't make BlackSuit unusual.  What does make BlackSuit stand out in a crowded scene of rasnomware gangs is the sheer amount of money it has attempted to extort from its many victims.

According to the CISA/FBI joint advisory:

"Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million."

The amount of ransom demanded is not specified in the initial ransom note delivered during an attack, but instead is supplied when a victim makes direct contact with the attacker via a link on the dark web.

The advisory notes that there has been an increase recently in the number of incidents where victims have received email communications or even phone calls from their attackers while negotiating payment.

If BlackSuit feels their victim is not going to agree to their demands, or fails to negotiate, it will often publish the victim's data on its leak site.

Although BlackSuit's sizeable ransom demands may strike understandable fear into many organisations, the CISA/FBI advisory notes that it has "exhibited a willingness to negotiate payment amounts."

Of course, that doesn't mean that it is necessarily the right thing to pay your extortionists if you find yourself the victim of a ransomware attack.

Paying a ransom encourages criminals to launch more attacks in the future, and not paying may be itself incur substantial expenses in terms of rebuilding customer trust, brand reputation, and rebuilding relationships with partners.

Being the victim of a ransomware attack often means there is no good choice - only a less bad one.

Past victims of the BlackSuit ransomware gang have included East Central University, CDK Global, universities, and even a zoo.