BlackSuit is a newer ransomware group, but one that’s already raising red flags across the cybersecurity world.

Security researchers have identified code and behavioural overlaps with the now-defunct Conti ransomware operation—suggesting that BlackSuit may be a direct successor or spin-off. With proven infrastructure, familiar tactics, and a growing list of victims, this group is already showing signs of becoming a major threat to enterprise environments.

At STORM Guidance, we help businesses anticipate and respond to high-risk ransomware groups like BlackSuit by providing expert-led incident response, containment, and strategic risk management.

How BlackSuit Ransomware Works

BlackSuit leverages a double extortion model

Sensitive data is stolen before systems are encrypted, and ransom payments are demanded to prevent public leaks and restore access. Their ransomware supports Windows and Linux systems, making it especially dangerous for hybrid IT environments.

Key tactics include:

• Initial access via phishing emails, compromised credentials, or unpatched remote access tools

• Use of Cobalt Strike and other penetration testing tools for lateral movement

• File encryption, often with a .blacksuit extension and custom ransom notes

• Operation of a leak site where stolen data is published in stages for non-paying victims

BlackSuit campaigns are typically fast-moving, and the group appears highly organised—indicative of experienced operators returning under a new name.

Who BlackSuit Targets

BlackSuit has been observed targeting:

• Large enterprises and mid-sized organisations with valuable data

• Sectors including healthcare, manufacturing, legal, and financial services

• Environments with legacy infrastructure, flat networks, or weak segmentation

The group clearly prioritises businesses where data sensitivity and operational disruption can drive ransom payments.

How to Defend Against BlackSuit Ransomware

✅ Patch remote access tools, VPNs, and other public-facing infrastructure

✅ Enforce multi-factor authentication on all privileged accounts

✅ Monitor for lateral movement and unusual credential use

✅ Implement strong backup strategies, with offline and immutable storage

✅ Educate staff on phishing and credential-harvesting techniques

✅ Prepare a ransomware-specific incident response plan

If Your Business Is Attacked by BlackSuit

If BlackSuit ransomware is impacting your systems:

• Isolate compromised systems immediately to limit spread

• Preserve all ransom notes, logs, and indicators of compromise

• Conduct a data exposure assessment and initiate breach response protocols

• Involve legal, compliance, and communications teams early

• Avoid ransom communication until you’ve consulted a response specialist

STORM Guidance provides:

✔ Technical investigation and rapid threat containment

✔ Expert guidance on data breach obligations and stakeholder communication

✔ Secure recovery and rebuild strategies

✔ Ransom response support, including negotiation if required

BlackSuit: Conti’s Tactics, Repackaged for the Next Wave of Enterprise Attacks

BlackSuit is proof that threat actor infrastructure doesn’t die—it evolves.

Whether this is Conti reborn or a savvy reuse of its tools, the outcome is the same: fast, targeted attacks with high stakes for businesses that aren't prepared.

By staying alert to emerging ransomware groups—and understanding the legacy operations that feed them—your organisation can stay one step ahead. STORM Guidance is here to help you respond, recover, and reinforce your resilience before the next wave hits.

Immediate Response Available

If you’re under attack, contact STORM Guidance now.