The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022.
In an update to the original advisory published in March with additional information discovered during FBI investigations, the two agencies also noted that the ransomware operation is linked to more than $275 million in ransom demands.
“Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD,” the advisory reads.
“Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors.”
In March, the FBI and CISA first shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders detect and block attempts to deploy Royal ransomware payloads on their networks.
The joint advisory was issued after the Department of Health and Human Services (HHS) security team revealed in December 2022 that the ransomware operation was behind multiple attacks against U.S. healthcare organizations.
Royal to BlackSuit?
The advisory update also notes that Royal could plan a rebranding initiative and/or a spinoff variant, with BlackSuit ransomware exhibiting several coding characteristics shared with Royal.
BleepingComputer reported in June that the Royal ransomware gang has been testing a new BlackSuit encryptor, which shares many similarities with the operation’s usual encryptor.
While it was believed that the Royal ransomware operation would rebrand since May when the BlackSuit ransomware operation surfaced, this never happened. Royal is still actively targeting enterprise organizations using BlackSuit in limited attacks.
Since BlackSuit is a self-contained operation, Royal may be planning to launch a subgroup focused on certain types of victims since a rebrand no longer makes sense once similarities have been discovered between the two encryptors.
“I believe we may see more things like blacksuit soon. But so far, it seems that both the new loader and the new Blacksuit locker were a failed experiment,” Yelisey Bohuslavskiy, Partner and Head of R&D at RedSense, told BleepingComputer.
Conti cybercrime gang links
Royal Ransomware is a private operation of highly skilled threat actors known for previously working with the infamous Conti cybercrime gang.
Despite being first spotted in January 2022, their malicious activities have only increased in intensity since September of the same year.
While they initially used ransomware encryptors from other operations like ALPHV/BlackCat, likely to avoid drawing attention, the gang has since shifted to deploying their own tools.
While their first encryptor, Zeon, dropped ransom notes reminiscent of those generated by Conti, they switched to the Royal encryptor after undergoing a rebranding in mid-September 2022. More recently, the malware has been upgraded to encrypt Linux devices in attacks targeting VMware ESXi virtual machines.
Even though they typically infiltrate targets’ networks by exploiting security vulnerabilities in publicly accessible devices, Royal operators are also known for callback phishing attacks.
During these attacks, when targets dial the phone numbers embedded in emails cleverly disguised as subscription renewals, the attackers leverage social engineering tactics to trick the victims into installing remote access software, granting them access to the targeted network.
The modus operandi of Royal operators involves encrypting their targets’ enterprise systems and demanding substantial ransoms ranging from $250,000 to tens of millions per attack.