Recent intelligence from US federal authorities has highlighted the intensifying threat posed by the Royal ransomware group, whose demands have surpassed $275 million since its emergence in September 2022. The FBI and CISA issued a joint advisory shedding light on the group’s rapid evolution and its latest operations.
Operating independently without affiliates, Royal has displayed a swift evolution, targeting over 350 victims globally within a year, demanding ransoms ranging from $1 million to $12 million. Its indiscriminate approach to victim selection spans critical infrastructure sectors like manufacturing, communications, education, and healthcare. Of particular concern to US authorities were attacks on healthcare organizations, drawing attention from the Department of Health and Human Services.
Experts speculate that Royal, possibly stemming from the defunct Conti Group, might rebrand itself as Blacksuit due to increased federal scrutiny. The potential shift comes amid investigations, notably after the City of Dallas’ high-profile attack in May.
The advisory indicates Royal’s potential rebranding or spinoff to Blacksuit, citing similarities in coding characteristics between the two ransomware variants.
The advisory underscores Royal’s operational strategies and potential future actions. Since its emergence, Royal has exhibited sophisticated tactics, likely inherited from its Conti lineage. The group’s modus operandi includes partial encryption and double-extortion tactics, predominantly infiltrating networks via phishing emails (66.7% of cases) or exploiting Remote Desktop Protocol (RDP).
Post infiltration, Royal deploys multiple tools, including legitimate Windows software and specialized utilities like Chisel, for network control. RDP serves as a lateral movement tool, while remote monitoring software aids persistence.
Royal’s distinctive partial encryption approach allows selective encryption within files, aiding evasion of detection. Additionally, the group practices double extortion by exfiltrating data pre-encryption, leveraging tools like Cobalt Strike and Ursnif/Gozi for data gathering and transmission.
The advisory furnishes a list of associated files, programs, and IP addresses linked to Royal’s attacks. Federal agencies advocate prioritizing patching known vulnerabilities and enhancing employee training to detect and report phishing attempts, the primary mode of Royal’s entry. They stress im
