Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of the victim's annual revenue. The group uses various initial access methods, including phishing, SEO poisoning, and supply chain attacks. They employ tools like Mimikatz, Cobalt Strike, and Rclone for credential theft, lateral movement, and data exfiltration. The ransomware has both Windows and Linux variants, with specific functionality to target VMware ESXi servers in some Linux versions. The group's sophisticated tactics and potential ties to former Conti and Royal ransomware members make them a significant threat.