BlackSuit

These similarities include command line arguments, code similarities, file exclusions, and similar intermittent encryption techniques.

the use of the same batch scripts and files: file1.bat, file2.bat, ip.txt, and gp.bat

file2.bat : a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive

Royal can scan the network interfaces of targeted systems. LightSpy reads the host's Wi‑Fi connection history and utilizes Apple's CWWiFiClient API to scan for nearby Wi‑Fi networks and obtain SSID, security type, and RSSI values.

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."

"Babuk can enumerate disk volumes, get disk information"; "Ryuk has called GetLogicalDrives ... and GetDriveTypeW"; "Cuba can enumerate local drives, disk type, and disk free space"; "Chimera ... fsutil fsinfo drives"

The group employs Royal and BlackSuit lockers, with Emotet and IcedID as precursors. They prioritize alternatives to CobaltStrike, particularly Sliver, and develop custom precursor loaders.

Zolotarjovs was specifically tasked with analyzing data stolen from victims, researching the companies and using the information to force victims into paying.

When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data.

...his involvement in a series of ransomware attacks... | A federal judge sentenced a Latvian national ... for his involvement in a series of ransomware attacks ... helped an organization led by former leaders of the Conti ransomware group extort payments from more than 54 companies.

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.

He analyzed stolen data and used sensitive information to intensify extortion tactics. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance.

file1.bat : a batch file designed to set up the system with autologon as the newly-created administrative user AdminBac, reboot into Safe Mode ... file2.bat : a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive