Royal Ransomware has a new name after demanding $275M from 350 victims


Royal Ransomware, which emerged in early 2022, already has at least 350 known victims under its belt, added since September 2022. Its ransom demands have exceeded $275 million, an updated CISA and FBI advisory reveals. And now, the gang is operating under a new name: Blacksuit.

Royal is notorious for data exfiltration and extortion prior to encryption. The gang publishes victim data to a leak site if a ransom is not paid. The most successful attack vector for Royal to gain presence is via phishing emails.

The Royal gang ranked among the most active cybercriminal syndicates in the first half of 2023, demanding ransoms in the six-digit territory per victim. They were behind the Silverstone Circuit attack, for example. However, the ransomware group’s activity has decreased significantly in recent months, and their victim page on the dark web has been down since October.

ADVERTISEMENT

Also, it seems these criminals like classy aliases. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) believe Royal may now be operating under a different name.

“There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal,” the updated advisory reads.

According to Ransomlooker by Cybernews, the last activity of Royal was observed in July 2023, when the criminal syndicate added its last victim. In comparison, Royal added 38 victims in March. Meanwhile, the Blacksuit gang now adds 1-2 victims each month.

Royal ransomware on Ransomlooker

Both Royal and Blacksuit threat actors have been observed using legitimate software and open-source tools during ransomware operations. They establish SSH connections by using open-source network tunneling tools such as Chisel and Cloudflared, Secure Shell (SSH) Client, OpenSSH, and MobaXterm.

Victims have also found publicly available credential-stealing tool Mimikatz, password harvesting tool from Nirsoft, and other legitimate tools, such as AnyDesk, LogMein, or Atera Agent, for remote access.

Cybersecurity firm Arete believes Royal ransomware loosely operates as a closed group rather than as a ransom-as-a-service (RaaS) provider. They do not disproportionately target any single sector or organizational size, do not hesitate to encrypt data of larger organizations, exfiltrate credentials, laterally spread across the system's domain, and encrypt devices.

ADVERTISEMENT

Last year, cybersecurity company Cybereason found resemblances between the Royal Ransomware group and Conti, including similarities between the ransom notes each group uses (particularly in Royal's early stages) and the use of callback phishing attacks.

“In our research, we have identified additional similarities, such as resemblances in the encryption process decision factors. However, these similarities are not yet clear enough to confirm a direct connection between the two groups,” Cybereason said last year.

CISA shares indicators of compromise and other helpful information for cyber defenders to detect and mitigate possible attacks.