(Bloomberg) -- A little more than a year ago, a cyberattack forced the city of Dallas to shut down its computer systems, including one that the local fire department relies on to track emergencies. For four days, firefighters resorted to moving magnets around on a map to keep tabs on incidents and manage their crews.

Some systems were offline for weeks. Sensitive information on some 30,000 people was stolen.

The gang behind the attack was called Royal, a relatively new and aggressive cybercriminal group that was originally known as Zeon. But these weren’t amateurs: Some of Royal’s members hailed from one of the most notorious hacking groups ever, Conti.

Such is the nature of hacking gangs, which researchers say are incestuous and difficult to track (by design). They’re continually rebranding themselves and resurfacing with new names and new members. 

In fact, not too long after the Dallas attack, Royal re-emerged as BlackSuit — the gang that’s now being blamed for the devastating cyberattacks against software provider CDK Global earlier this month that has paralyzed computer systems at thousands of car dealerships across North America.

Since it was first discovered in May 2023, BlackSuit has named 96 victims on the dark web page it uses to expose extortion victims, according to Allan Liska, a threat analyst at the security firm Recorded Future Inc. The group has likely attacked dozens more victims who weren’t named on the site because they paid an extortion fee, he said.

The emergence of BlackSuit illustrates a frustrating reality in cybercrime: even if one hacking group goes away, as a result of internal strife or law enforcement action, its members often form new criminal groups that continue to extort victims of cyberattacks. Law enforcement in the US, the UK and elsewhere have gotten more aggressive in recent years, sanctioning some of the hacking gang members and disabling their computer infrastructure.

But arresting them and stopping their activity is difficult because many live in countries such as Russia that provide safe haven.

“There’s this whole ecosystem that’s built up around ransomware now,” Liska said. “They don’t fear retribution.” 

Many details about BlackSuit and its members aren’t known. But Liska and others described the group as low-key and businesslike.

Where other hackers have sought to cultivate public personas or attract attention for their extortion efforts, BlackSuit has maintained a lower profile. “They’re not flashy,” Liska said. “They’re circumspect. They’re trying to operate a business.”

The group has typically made ransom demands from $300,000 to $5 million, while remaining open to negotiation with its victims, said Shane Sims, chief executive officer of the cybersecurity firm Kivu Consulting, which has investigated several breaches by BlackSuit this year.

The hackers behind BlackSuit specialize in “double extortion,” a ransom technique that involves locking companies’ systems with ransomware and stealing data, which they threaten to sell or leak. They have broken into targets using phishing attacks and valid login credentials, which are often stolen and sold on the dark web, Sims said. 

The group also engages in “social engineering”— the art for tricking someone into providing information that can be used for illicit means, like breaking into a computer network. CDK, for instance, said the hackers were posing as employees to trick customers into helping them access the company’s systems. 

“They have tools they know how to use, and they use them quickly,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, a program that pays security researchers for privately disclosing vulnerabilities to the affected vendors. As an example, Childs said BlackSuit has stolen between 100 gigabytes and 200 gigabytes — which he likened to the download size of 40 DVDs — in under two hours. 

Roughly 70% of the groups’ victims are based in the US, while most others are from the UK and Canada, said Sergey Shykevich, threat intelligence group manager at cybersecurity provider Check Point Software Technologies Ltd. 

In one recent attack, BlackSuit managed to steal data and block access to every file on a company’s devices, one executive at the company said, asking not to be named given the sensitivity of the matter. The hackers, one of which communicated in fluent American English, left a file with instructions for how the victim could negotiate a ransom payment with them on the dark web, the executive said.

BlackSuit attempted to intimidate the executive and others at the company with calls and texts when they appeared to walk away from negotiations, the executive said, adding the company ultimately paid the group less than $1 million to recover its data.

Researchers have traced BlackSuit’s roots to the gang Royal, which in turn has roots in Conti, a Russian-based criminal group that was accused of hacking Ireland’s Health Service and the government of Costa Rica, among others. The FBI estimated that as of January 2022 Conti’s malicious code was used in attacks on more than 1,000 victims, and the research firm Chainalysis reported that the group extorted $180 million in ransoms in 2021 alone.

Royal demanded more than $275 million in ransom fees from at least 350 victims in 2022 and 2022, according to the FBI and CISA, a unit of the Department of Homeland Security. 

Dallas was one of the last — if not the last — target of Royal before it re-emerged as BlackSuit. In the aftermath of that hack, Dallas’s technology team was forced to work round-the-clock for six weeks to recover.

“It’s not a group of kids in a basement,” said Brian Gardner, chief information officer of the City of Dallas, in an interview. “This is real.”

--With assistance from Jake Bleiberg.

©2024 Bloomberg L.P.