The Dark Web Hub
Royal [offline]
Royal initially used third-party ransomware including BlackCat and Zeon before developing its own malware, written in C++, which infects Windows systems.
BlackSuit [offline]
Active Since
May 2023
Total Victims as of July 2024
99
Known Forum Aliases
N/A
Active Forum Accounts
N/A
Target Geographies
US, UK, Canada
BlackSuit’s ransomware code is notable for its similarity to the Royal ransomware strain.
As is typical of most ransomware operations, BlackSuit targets a range of industries with a geographical bias towards those located in the United States. It’s highest-profile attack to date is thought to be against CDK Global, a Software-as-a-Service provider for car dealerships.
July 2025 Update
BlackSuit was seized in July 2025, in a US-led law enforcement operation that recovered over $1 million of virtual currency.
Related Content
Podcasts
Ransomware Gangs on the Dark Web
The Dark Web Hub
BlackBasta [offline]
BlackBasta is a ransomware operation that is notable for its high volume of attacks, use of custom tools, and suspected links to cybercriminal group FIN7.
Podcasts
The LockBit Takedown
The Dark Web Hub
BlackCat [offline]
The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.
Podcasts
The Qilin Ransomware Group vs The National Health Service
The Dark Web Hub
Qilin
Qilin gained notoriety in mid-2024 following an attack on pathology service provider Synnovis, which had debilitating effects on several hospitals and health care services in London, UK.