Royal ransomware demand victims for up to $11 million – CISA


Royal ransomware has gained momentum since it began operations last year, extorting over a hundred organizations with ransom demands in the six-digit territory per victim.

The US Cybersecurity and Infrastructure Security Agency (CISA) said that cyber crooks had used a variant of Royal ransomware to attack American and international organizations.

Once inside the target’s system, cybercriminals disable antivirus software and take large amounts of data before deploying the encryption malware. The Central Intelligence Agency (CIA) believes Royal’s malware is derived from malicious software called Zeon.

ADVERTISEMENT

“Royal actors have made ransom demands ranging from approximately $1 million to $11 million in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note,” CISA said in an advisory.

Royal ransomware stands out of the crowd somewhat with its infection techniques. For example, threat actors do not include ransom amounts or payment instructions in the initial ransom note. Instead, cybercriminals demand that victims interact with them directly.

According to deep-web watchdog Darkfeed, over its lifetime Royal ransomware has listed 112 victims on its leak site. However, ransomware gangs don’t name all their victims, meaning the real number of victims may be significantly larger.

Researchers at cybersecurity firm Malwarebytes claim that Royal boasted 19 victims in February alone, ranking the group among the most prolific in the ransomware game. Only LockBit, BlackCat, and Vice Society have victimized more organizations.

First discovered in 2022, Royal utilized third-party ransomware, namely BlackCat and Zeon. However, the gang has been deploying its own ransomware since September last year. The Royal gang made headlines after it added the UK’s Silverstone Formula One motor racing circuit to its list of victims.